Edit tour

Windows Analysis Report
SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe
Analysis ID:	1467091
MD5:	58a7d9b0cc94e95f3e89f6bb112c3275
SHA1:	f3fd93fcdd0b7595e19e4c20731439e243a87426
SHA256:	62404758252b994da1b60c819fa8cbf1b6a884cd001939479a90ba4c52585363
Tags:	exe
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to query locales information (e.g. system language)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe (PID: 6824 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe" MD5: 58A7D9B0CC94E95F3E89F6BB112C3275)

conhost.exe (PID: 6868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.0% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dynam\Downloads\kdmapper-master\kdmapper-master\x64\Release\kdmapper.pdb33 source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe
Source:	Binary string: C:\Users\dynam\Downloads\kdmapper-master\kdmapper-master\x64\Release\kdmapper.pdb source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe
Source:	Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

Code function: 0_2_00007FF712FAE268 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,terminate,GetFileInformationByHandleEx,GetLastError,CloseHandle,terminate,GetFileInformationByHandleEx,GetLastError,CloseHandle,terminate,CloseHandle,CloseHandle,terminate,

0_2_00007FF712FAE268

Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Code function: 0_2_00007FF712FA2AE0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,memset,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree,		0_2_00007FF712FA2AE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Code function: 0_2_00007FF712FAD960 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,VirtualFree,_stricmp,VirtualFree,VirtualFree,_invalid_parameter_noinfo_noreturn,		0_2_00007FF712FAD960

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

Code function: 0_2_00007FF712FA2AE0: NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,memset,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree,

0_2_00007FF712FA2AE0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Code function: 0_2_00007FF712FA9330	0_2_00007FF712FA9330
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Code function: 0_2_00007FF712FAE268	0_2_00007FF712FAE268
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Code function: 0_2_00007FF712FA2AE0	0_2_00007FF712FA2AE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Code function: 0_2_00007FF712FA3CF0	0_2_00007FF712FA3CF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Code function: 0_2_00007FF712FAD960	0_2_00007FF712FAD960
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Code function: 0_2_00007FF712FA27A0	0_2_00007FF712FA27A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Code function: 0_2_00007FF712FAC3C0	0_2_00007FF712FAC3C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Code function: 0_2_00007FF712FA1800	0_2_00007FF712FA1800
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Code function: 0_2_00007FF712FACA10	0_2_00007FF712FACA10

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

Code function: String function: 00007FF712FA5910 appears 83 times

Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe, 00000000.00000000.1657624031.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiQVW64.SYSH vs SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe
Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe, 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiQVW64.SYSH vs SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe
Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Binary or memory string: OriginalFilenameiQVW64.SYSH vs SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Binary string: Unknown exceptionbad array new lengthstring too longbad cast\\\.\Nal[-] \Device\Nal is already in use.[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver iqvw64e.sysntoskrnl.exe[-] Failed to get ntoskrnl.exe[-] Failed to ClearPiDDBCacheTable[-] Failed to ClearKernelHashBucketList[!] Failed to ClearMmUnloadedDrivers[<] Unloading vulnerable driver[!] Error dumping shit inside the disk[+] Vul driver data destroyed before unlink[-] Failed to translate virtual address 0x[-] Failed to map IO space of 0x[!] Failed to unmap IO space of physical address 0xMmAllocatePagesForMdl[!] Failed to find MmAlocatePagesForMdlMmMapLockedPagesSpecifyCache[!] Failed to find MmMapLockedPagesSpecifyCacheMmProtectMdlSystemAddress[!] Failed to find MmProtectMdlSystemAddressMmUnmapLockedPages[!] Failed to find MmUnmapLockedPagesMmFreePagesFromMdl[!] Failed to find MmFreePagesFromMdlExAllocatePoolWithTag[!] Failed to find ExAllocatePoolExFreePool[!] Failed to find device_object[!] Failed to find driver_object[!] Failed to find driver_section[!] Failed to find driver name[!] Failed to read driver name[!] Failed to write driver name length[+] MmUnloadedDrivers Cleaned: ExAcquireResourceExclusiveLite[!] Failed to find ExAcquireResourceExclusiveLiteExReleaseResourceLite[!] Failed to find ExReleaseResourceLiteRtlDeleteElementGenericTableAvl[!] Failed to find RtlDeleteElementGenericTableAvlRtlLookupElementGenericTableAvl[!] Failed to find RtlLookupElementGenericTableAvlxxxxxx????xxxxx????xxx????xxxxx????x????xx?x
Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Binary string: \Device\Nal

Source: classification engine

Classification label: mal56.winEXE@2/1@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6868:120:WilError_03

Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\dynam\Downloads\kdmapper-master\kdmapper-master\x64\Release\kdmapper.pdb33 source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe
Source:	Binary string: C:\Users\dynam\Downloads\kdmapper-master\kdmapper-master\x64\Release\kdmapper.pdb source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe
Source:	Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

Code function: 0_2_00007FF712FA2AE0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,memset,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree,

0_2_00007FF712FA2AE0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

API coverage: 2.4 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

0_2_00007FF712FAE268

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

Code function: 0_2_00007FF712FAE6B8 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF712FAE6B8

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

Code function: 0_2_00007FF712FAE6B8 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF712FAE6B8

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

0_2_00007FF712FA2AE0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Code function: 0_2_00007FF712FA9330 SetUnhandledExceptionFilter,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,__std_fs_code_page,memcmp,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF712FA9330
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Code function: 0_2_00007FF712FAF4FC SetUnhandledExceptionFilter,	0_2_00007FF712FAF4FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Code function: 0_2_00007FF712FAF350 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF712FAF350
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	Code function: 0_2_00007FF712FAEBB8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF712FAEBB8

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

Code function: GetLocaleInfoEx,FormatMessageA,

0_2_00007FF712FADFB4

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

Code function: 0_2_00007FF712FAF568 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF712FAF568

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	45%	ReversingLabs
SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.thawte.com/ThawteTimestampingCA.crl0	SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	false	URL Reputation: safe	unknown
http://ocsp.thawte.com0	SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467091
Start date and time:	2024-07-03 18:06:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe
Detection:	MAL
Classification:	mal56.winEXE@2/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 4 Number of non-executed functions: 66
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	97
Entropy (8bit):	4.68946445647071
Encrypted:	false
SSDEEP:	3:ytoICArEE0IEVq4MILAAzI1MCJEdMgxGzin:wRCA5CVq4FAAzI1M5VGzin
MD5:	293C14E3E6CE8BCF759BCB6365C0D4FB
SHA1:	0D7B836D72608CD666F00FFFAC677B8BFB660161
SHA-256:	3C5C212D5DC08B830238A0B4B2B46B07EEA0847F1C05CC658F27F4DC44BE384C
SHA-512:	0612C0976E7FBFF0CB8D311370EB1C031E61EE5B5AEB14C5A965F2B87B1E8BE4E401F7213A83B299E0E2C787CEFF7FFC7AC3B91D20AC6DE1A537D5EC952A0A5E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......[!] Incorrect Usage!..[+] Usage: kdmapper.exe [--free][--mdl][--PassAllocationPtr] driver..

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.137276392331251
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe
File size:	136'192 bytes
MD5:	58a7d9b0cc94e95f3e89f6bb112c3275
SHA1:	f3fd93fcdd0b7595e19e4c20731439e243a87426
SHA256:	62404758252b994da1b60c819fa8cbf1b6a884cd001939479a90ba4c52585363
SHA512:	8271862b5644152494f4e5e9c195a7a3f43c6bf535bab9623c55c9d86617bad0d79e9cf5382446df994b798dd14768e31a30e53a926fefdf4e2e033fb0db12b9
SSDEEP:	3072:aNK7sxZHzwOMz1G6yLB40GrXmJTQSaMm5/6yzwRGrT:asYxZRj1q0WlEG
TLSH:	ABD33B5763A510A8E5B7E2BCDAB64612E7B27C140774D7CF0350813A0F627E1AE3EB61
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..O........................................%...........M...............0^......0^x.....0^......Rich...........................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14000f0b4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6627EBF4 [Tue Apr 23 17:12:20 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	183978a44ba0462e201da2bf5312bb94

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FBFB8B946D0h
dec eax
add esp, 28h
jmp 00007FBFB8B94097h
int3
int3
retn 0000h
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007FBFB8B94232h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007FBFB8B94235h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007FBFB8B9422Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007FBFB8B9388Eh
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push edi
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc ebp
xor ebx, ebx
inc esp
mov edx, edx
inc ecx
xor eax, 6C65746Eh
inc ecx
xor edx, 49656E69h
inc esp
mov ecx, ebx
mov esi, eax
xor ecx, ecx

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1f5a8	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x23000	0xccc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x25000	0x100	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1cad0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1cb80	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1c990	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11000	0x5b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf1f8	0xf200	faf22897ec01ba2a98e9f0ea2393a2d7	False	0.5015334452479339	data	6.239153652132455	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x11000	0x10434	0x10600	9305ffd0bada176c4f2cb7aff2f44a84	False	0.4282711116412214	data	5.775899677761921	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x22000	0xd60	0x600	bf62bb49a8b6002a5206c2e3a19f8bfb	False	0.205078125	data	3.499545685261346	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x23000	0xccc	0xe00	1ff31f699355428c811535cdd5d43bf6	False	0.45703125	data	4.609010788641389	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0x1e8	0x200	971a6bbdae0e0e43dfd18434202d1eec	False	0.5390625	data	4.772037401703051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x25000	0x100	0x200	d5a8347d20875382250ff5d6b90054f1	False	0.435546875	data	3.175024014376331	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x24060	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
KERNEL32.dll	GetCurrentThreadId, GetModuleHandleA, GetLastError, CloseHandle, CreateFileW, GetProcAddress, DeleteCriticalSection, GetCurrentProcessId, SetUnhandledExceptionFilter, GetTempPathW, FormatMessageA, GetLocaleInfoEx, InitializeCriticalSectionEx, VirtualAlloc, DeviceIoControl, VirtualFree, FindClose, FindFirstFileW, GetFileAttributesExW, AreFileApisANSI, GetModuleHandleW, GetFileInformationByHandleEx, WideCharToMultiByte, IsDebuggerPresent, OutputDebugStringW, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, LocalFree
ADVAPI32.dll	RegCloseKey, RegDeleteTreeW, RegCreateKeyW, RegOpenKeyW, RegSetKeyValueW
MSVCP140.dll	?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z, ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ?good@ios_base@std@@QEBA_NXZ, ??7ios_base@std@@QEBA_NXZ, ?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?widen@?$ctype@_W@std@@QEBA_WD@Z, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ??Bid@locale@std@@QEAA_KXZ, ?_Winerror_map@std@@YAHH@Z, ?_Syserror_map@std@@YAPEBDH@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z, ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z, ??1_Lockit@std@@QEAA@XZ, ??0_Lockit@std@@QEAA@H@Z, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?uncaught_exception@std@@YA_NXZ, ?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A, ?id@?$ctype@_W@std@@2V0locale@2@A, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ, ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z, ?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z, ?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z, ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?_Xlength_error@std@@YAXPEBD@Z, ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
ntdll.dll	NtQuerySystemInformation, RtlInitUnicodeString
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	_CxxThrowException, __C_specific_handler, memset, __current_exception_context, __std_exception_copy, __std_exception_destroy, memcmp, __current_exception, memmove, __std_terminate, memcpy
api-ms-win-crt-stdio-l1-1-0.dll	fsetpos, ungetc, fclose, fputc, fread, _fseeki64, setvbuf, fgetpos, fwrite, __p__commode, _set_fmode, fgetc, fflush, _get_stream_buffer_pointers
api-ms-win-crt-heap-l1-1-0.dll	malloc, _callnewh, _set_new_mode, free
api-ms-win-crt-utility-l1-1-0.dll	rand, srand
api-ms-win-crt-filesystem-l1-1-0.dll	_lock_file, _wremove, _unlock_file
api-ms-win-crt-string-l1-1-0.dll	_stricmp, _wcsicmp
api-ms-win-crt-time-l1-1-0.dll	_time64
api-ms-win-crt-runtime-l1-1-0.dll	exit, _initterm_e, _configure_wide_argv, _initterm, __p___argc, _get_initial_wide_environment, _seh_filter_exe, _cexit, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _set_app_type, _register_thread_local_exe_atexit_callback, _c_exit, terminate, _initialize_wide_environment, system, __p___wargv, _invalid_parameter_noinfo_noreturn, _exit
api-ms-win-crt-locale-l1-1-0.dll	___lc_codepage_func, _configthreadlocale
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	12:06:58
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe"
Imagebase:	0x7ff712fa0000
File size:	136'192 bytes
MD5 hash:	58A7D9B0CC94E95F3E89F6BB112C3275
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:06:58
Start date:	03/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.9%
Total number of Nodes:	1929
Total number of Limit Nodes:	3

Executed Functions

Function 00007FF712FA9330 Relevance: 70.7, APIs: 25, Strings: 15, Instructions: 688COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF712FA9373
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF712FA93BB
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF712FA93FB
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF712FA946B
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF712FA94AB
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF712FA951B
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF712FA955B
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF712FA95B2
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF712FA95DA
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF712FA9601
__std_fs_code_page.MSVCPRT ref: 00007FF712FA9766
memcmp.VCRUNTIME140(?), ref: 00007FF712FA97B1
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF712FA98EE
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA9911
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF712FA9949
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF712FA9950
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF712FA9957
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF712FA9AB4
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF712FA9B1B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF712FA9B65
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA9C3D
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA9CBF
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA9CE2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA9D16
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA9DE1

Strings

[+] Free pool memory after usage enabled, xrefs: 00007FF712FA9595
[-] File , xrefs: 00007FF712FA9AD5
[+] Pass Allocation Ptr as first param enabled, xrefs: 00007FF712FA95E4
mdl, xrefs: 00007FF712FA9464, 00007FF712FA94A4
[+] success, xrefs: 00007FF712FA9CC5
[-] Failed to read image to memory, xrefs: 00007FF712FA9BB7
doesn't exist, xrefs: 00007FF712FA9B02
[+] Usage: kdmapper.exe [--free][--mdl][--PassAllocationPtr] driver, xrefs: 00007FF712FA98F4
.sys, xrefs: 00007FF712FA97AA
[!] Incorrect Usage!, xrefs: 00007FF712FA98D1
[-] Warning failed to fully unload vulnerable driver , xrefs: 00007FF712FA9CA2
[+] Mdl memory usage enabled, xrefs: 00007FF712FA95BD
free, xrefs: 00007FF712FA93B4, 00007FF712FA93F4
[-] Failed to map , xrefs: 00007FF712FA9C06
PassAllocationPtr, xrefs: 00007FF712FA9514, 00007FF712FA9554

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_V01@@W@std@@@std@@$_invalid_parameter_noinfo_noreturn$_wcsicmp$ExceptionFilterUnhandled__std_fs_code_pagememcmp
String ID: [!] Incorrect Usage!$ doesn't exist$.sys$PassAllocationPtr$[+] Free pool memory after usage enabled$[+] Mdl memory usage enabled$[+] Pass Allocation Ptr as first param enabled$[+] Usage: kdmapper.exe [--free][--mdl][--PassAllocationPtr] driver$[+] success$[-] Failed to map $[-] Failed to read image to memory$[-] File $[-] Warning failed to fully unload vulnerable driver $free$mdl
API String ID: 479729990-1302835770
Opcode ID: 57c9e28aabbb2cddc90e3a9a9f23a01467ab4f27a87d17974de18547fb2a9fe5
Instruction ID: 71d0f326a3871e4a4710e1cf09d1f700d0ce6af6cd21b12f07ebc1da3029d053
Opcode Fuzzy Hash: 57c9e28aabbb2cddc90e3a9a9f23a01467ab4f27a87d17974de18547fb2a9fe5
Instruction Fuzzy Hash: 9E52A466F18E4685EF50AB25D4442B9A3A9FF44BB4FD06631DA1E036D4DFBCE588C320

Function 00007FF712FA5910 Relevance: 13.6, APIs: 9, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140(FFFFFFFF,00000000,?,?,?,00007FF712FA15D3), ref: 00007FF712FA598A
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA59AA
?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA59BA
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5A07
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5A31
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5A56
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5A9D
?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5AA4
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5AB1

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@U?$char_traits@_W@std@@@std@@$?good@ios_base@std@@?sputc@?$basic_streambuf@_$?flush@?$basic_ostream@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 1647946921-0
Opcode ID: 0a2b1289ed850ce5a6cc45d9a0cf48bc558de9ab1d5187c6e46add9a75fe4373
Instruction ID: 5076526ecd0e43339a30354a47cde6d2c8d4a7876794f4fde2468898f3541e95
Opcode Fuzzy Hash: 0a2b1289ed850ce5a6cc45d9a0cf48bc558de9ab1d5187c6e46add9a75fe4373
Instruction Fuzzy Hash: 47512E22B08E4181EB60AF19E594239E7A4FB88FA5F95D531CE4E47BA0CF79D54AC310

Function 00007FF712FAEF38 Relevance: 13.6, APIs: 9, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF712FAEF4C
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF712FAEF61
__scrt_release_startup_lock.LIBCMT ref: 00007FF712FAEFCF
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAF01D
_get_initial_wide_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAF022
__p___wargv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAF02A
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAF032
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAF054
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAF0AE

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: __p___argc__p___wargv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_release_startup_lock_cexit_exit_get_initial_wide_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1184979102-0
Opcode ID: 31e9bd74f2649d3bc3b452098acaf2e171843a3001b2598f79c46f2741660a67
Instruction ID: 97c4c580546b639c38e80fe23d2af059bb72efcd6f70d2be74ec4f2056ed9cac
Opcode Fuzzy Hash: 31e9bd74f2649d3bc3b452098acaf2e171843a3001b2598f79c46f2741660a67
Instruction Fuzzy Hash: 30314021E08E0742FA90BB2494563BA9399AF55FA4FC46534E54E0B2D3DEEEA44CC670

Function 00007FF712FA5AF0 Relevance: 4.5, APIs: 3, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z.MSVCP140 ref: 00007FF712FA5B05
?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z.MSVCP140 ref: 00007FF712FA5B11
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF712FA5B1A

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$?flush@?$basic_ostream@?put@?$basic_ostream@_?widen@?$basic_ios@_D@std@@@std@@U?$char_traits@V12@V12@_
String ID:
API String ID: 1552636710-0
Opcode ID: a161826a73a96f399066167084e507513aae689c47126b9b20167b9a9b21591e
Instruction ID: 91a64c9e2ae7cf91d5b6bcc858ebc142c70b5c00347f7adcf478f708167bfed5
Opcode Fuzzy Hash: a161826a73a96f399066167084e507513aae689c47126b9b20167b9a9b21591e
Instruction Fuzzy Hash: 77D01714A84A0682DE08AF26B8941396365AF8DFA2F8CA030CD0F87310CE3CD199C624

Non-executed Functions

Function 00007FF712FA3CF0 Relevance: 82.8, APIs: 22, Strings: 25, Instructions: 590COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF712FA79C0: memmove.VCRUNTIME140(00000000,?,?,?,00007FF712FA1347), ref: 00007FF712FA79F8

Part of subcall function 00007FF712FAD960: NtQuerySystemInformation.NTDLL ref: 00007FF712FAD993
Part of subcall function 00007FF712FAD960: VirtualFree.KERNEL32 ref: 00007FF712FAD9B0
Part of subcall function 00007FF712FAD960: VirtualAlloc.KERNEL32 ref: 00007FF712FAD9C6
Part of subcall function 00007FF712FAD960: NtQuerySystemInformation.NTDLL ref: 00007FF712FAD9E1
Part of subcall function 00007FF712FAD960: VirtualFree.KERNEL32 ref: 00007FF712FADA02

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA3D8A

Part of subcall function 00007FF712FA2110: DeviceIoControl.KERNEL32 ref: 00007FF712FA2178

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA3DFF
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA3EA0
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF712FA3F78
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF712FA3F84
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA3FD2
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA4014

Part of subcall function 00007FF712FA2FE0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,-0000000A,00007FF712FA3913), ref: 00007FF712FA30AA
Part of subcall function 00007FF712FA2FE0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,-0000000A,00007FF712FA3913), ref: 00007FF712FA30EA

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA405E
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA4090

Part of subcall function 00007FF712FA5910: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5A07

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA3F94

Part of subcall function 00007FF712FA5910: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(FFFFFFFF,00000000,?,?,?,00007FF712FA15D3), ref: 00007FF712FA598A
Part of subcall function 00007FF712FA5910: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA59AA
Part of subcall function 00007FF712FA5910: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA59BA
Part of subcall function 00007FF712FA5910: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5A9D
Part of subcall function 00007FF712FA5910: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5AA4
Part of subcall function 00007FF712FA5910: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5AB1

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA4651

Strings

[-] Failed to read g_KernelHashBucketList next entry!, xrefs: 00007FF712FA453C
[-] Can't Find g_HashCacheLock, xrefs: 00007FF712FA3E05, 00007FF712FA3EAE, 00007FF712FA3ED5
[-] Failed to release g_KernelHashBucketList lock!, xrefs: 00007FF712FA402D, 00007FF712FA4073, 00007FF712FA44ED, 00007FF712FA4583
xxx????x?xxxxxxx, xrefs: 00007FF712FA3DA7
[!] g_KernelHashBucketList looks empty!, xrefs: 00007FF712FA4041
[+] Found In g_KernelHashBucketList: , xrefs: 00007FF712FA4355
[-] Failed to clear g_KernelHashBucketList entry pool!, xrefs: 00007FF712FA44B1
[-] Failed to read g_KernelHashBucketList next entry ptr!, xrefs: 00007FF712FA4424
[+] g_KernelHashBucketList Cleaned, xrefs: 00007FF712FA44BD
[+] g_HashCacheLock Locked, xrefs: 00007FF712FA3FBC
ci.dll, xrefs: 00007FF712FA3D3B
[-] Failed to read g_KernelHashBucketList entry text!, xrefs: 00007FF712FA452A
[+] g_KernelHashBucketList Found 0x, xrefs: 00007FF712FA3F5B
[-] Failed to read g_KernelHashBucketList entry text ptr!, xrefs: 00007FF712FA4533
[-] Can't Find g_KernelHashBucketList, xrefs: 00007FF712FA3DCD
[-] Can't lock g_HashCacheLock, xrefs: 00007FF712FA3FB0
[-] Failed to read g_KernelHashBucketList entry text len!, xrefs: 00007FF712FA4566
[-] Can't find pattern, xrefs: 00007FF712FA3E83
xxx, xrefs: 00007FF712FA3E50
[-] Failed to write g_KernelHashBucketList prev entry ptr!, xrefs: 00007FF712FA4521
[-] Can't Find g_HashCache relative address, xrefs: 00007FF712FA4634
[-] Failed to read first g_KernelHashBucketList entry!, xrefs: 00007FF712FA3FF7
[-] Can't Find ci.dll module address, xrefs: 00007FF712FA3D9B
[-] Read failed in FindPatternAtKernel, xrefs: 00007FF712FA3E36
[-] No module address to find pattern, xrefs: 00007FF712FA3DE2

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@_$V01@@$Virtual$?good@ios_base@std@@D@std@@@std@@FreeInformationQuerySystemU?$char_traits@_invalid_parameter_noinfo_noreturn$?flush@?$basic_ostream@?setstate@?$basic_ios@_?sputc@?$basic_streambuf@_?uncaught_exception@std@@AllocControlDeviceOsfx@?$basic_ostream@V12@V21@@Vios_base@1@memmove
String ID: [!] g_KernelHashBucketList looks empty!$[+] Found In g_KernelHashBucketList: $[+] g_HashCacheLock Locked$[+] g_KernelHashBucketList Cleaned$[+] g_KernelHashBucketList Found 0x$[-] Can't Find ci.dll module address$[-] Can't Find g_HashCache relative address$[-] Can't Find g_HashCacheLock$[-] Can't Find g_KernelHashBucketList$[-] Can't find pattern$[-] Can't lock g_HashCacheLock$[-] Failed to clear g_KernelHashBucketList entry pool!$[-] Failed to read first g_KernelHashBucketList entry!$[-] Failed to read g_KernelHashBucketList entry text len!$[-] Failed to read g_KernelHashBucketList entry text ptr!$[-] Failed to read g_KernelHashBucketList entry text!$[-] Failed to read g_KernelHashBucketList next entry ptr!$[-] Failed to read g_KernelHashBucketList next entry!$[-] Failed to release g_KernelHashBucketList lock!$[-] Failed to write g_KernelHashBucketList prev entry ptr!$[-] No module address to find pattern$[-] Read failed in FindPatternAtKernel$ci.dll$xxx$xxx????x?xxxxxxx
API String ID: 1342546852-3908567482
Opcode ID: afd65226d629bb2cd274d8e656f883520e6269e3721f0ef54ea5a21282dcdcfc
Instruction ID: d71be21c5c183530598cacd0c2bcabfb4c0bfa43dbf361f07f7f8bba8c0871fc
Opcode Fuzzy Hash: afd65226d629bb2cd274d8e656f883520e6269e3721f0ef54ea5a21282dcdcfc
Instruction Fuzzy Hash: 0C428B65F18E4280FE80AB65E8442B9A369FF45BA4FD06131DE4D17A99DFBCE54CC320

Function 00007FF712FA1800 Relevance: 65.0, APIs: 23, Strings: 14, Instructions: 295
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF712FA1837
GetCurrentThreadId.KERNEL32 ref: 00007FF712FA1840
srand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF712FA184B
CreateFileW.KERNEL32 ref: 00007FF712FA1879
CloseHandle.KERNEL32 ref: 00007FF712FA188C

Part of subcall function 00007FF712FA5910: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(FFFFFFFF,00000000,?,?,?,00007FF712FA15D3), ref: 00007FF712FA598A
Part of subcall function 00007FF712FA5910: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA59AA
Part of subcall function 00007FF712FA5910: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA59BA
Part of subcall function 00007FF712FA5910: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5A9D
Part of subcall function 00007FF712FA5910: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5AA4
Part of subcall function 00007FF712FA5910: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5AB1

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA18AF
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF712FA18F6
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF712FA1940
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA19B5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA19F5
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA1A31

Strings

ntoskrnl.exe, xrefs: 00007FF712FA1BBF
[-] Failed to register and start service for the vulnerable driver, xrefs: 00007FF712FA1B28
[-] Failed to get ntoskrnl.exe, xrefs: 00007FF712FA1C2E
[-] Failed to create vulnerable driver file, xrefs: 00007FF712FA1ADE
[-] Failed to get temp path, xrefs: 00007FF712FA15C0
[-] \Device\Nal is already in use., xrefs: 00007FF712FA1892
[-] Failed to load driver iqvw64e.sys, xrefs: 00007FF712FA1C76
[!] Failed to ClearMmUnloadedDrivers, xrefs: 00007FF712FA1C6D
[-] Failed to ClearPiDDBCacheTable, xrefs: 00007FF712FA1C43
[<] Loading vulnerable driver, Name: , xrefs: 00007FF712FA1971
[-] Failed to ClearKernelHashBucketList, xrefs: 00007FF712FA1C58
[-] Can't find TEMP folder, xrefs: 00007FF712FA1A14
gfff, xrefs: 00007FF712FA18FF
\\.\Nal, xrefs: 00007FF712FA1872, 00007FF712FA1B8B

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@_V01@@$?good@ios_base@std@@D@std@@@std@@U?$char_traits@rand$?flush@?$basic_ostream@?setstate@?$basic_ios@_?uncaught_exception@std@@CloseCreateCurrentFileHandleOsfx@?$basic_ostream@ThreadV12@_invalid_parameter_noinfo_noreturn_time64srand
String ID: [!] Failed to ClearMmUnloadedDrivers$[-] Can't find TEMP folder$[-] Failed to ClearKernelHashBucketList$[-] Failed to ClearPiDDBCacheTable$[-] Failed to create vulnerable driver file$[-] Failed to get ntoskrnl.exe$[-] Failed to get temp path$[-] Failed to load driver iqvw64e.sys$[-] Failed to register and start service for the vulnerable driver$[-] \Device\Nal is already in use.$[<] Loading vulnerable driver, Name: $\\.\Nal$gfff$ntoskrnl.exe
API String ID: 4132331485-3036430678
Opcode ID: 0687670a019a20a180e0959560c5c898c898dec2eb1374ec2884c1a41fd044f8
Instruction ID: c7c2aef99b111ec5e35ffd7afdc5448d3326315d893bd73c7b096713c1635085
Opcode Fuzzy Hash: 0687670a019a20a180e0959560c5c898c898dec2eb1374ec2884c1a41fd044f8
Instruction Fuzzy Hash: F7E18225E18E4281FB40EB25E8542BAA369FF85BF4FC05231D95E426A5DFBCE54CC720

Function 00007FF712FAE268 Relevance: 33.2, APIs: 22, Instructions: 224
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesExW.KERNEL32 ref: 00007FF712FAE315
GetLastError.KERNEL32 ref: 00007FF712FAE31F
FindFirstFileW.KERNEL32 ref: 00007FF712FAE336
GetLastError.KERNEL32 ref: 00007FF712FAE342
FindClose.KERNEL32 ref: 00007FF712FAE350
__std_fs_open_handle.LIBCPMT ref: 00007FF712FAE3E3
CloseHandle.KERNEL32 ref: 00007FF712FAE3F9
CloseHandle.KERNEL32 ref: 00007FF712FAE576
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAE580

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handleterminate
String ID:
API String ID: 2940733389-0
Opcode ID: 15296d6e40f6d123f720c5c9f9da8d40ae474e78b95cf03cab7fbfd31c63b516
Instruction ID: f7ee3fac9038b682e6dcaca59604c28ef6daff532edad1ed7223adda2560b79b
Opcode Fuzzy Hash: 15296d6e40f6d123f720c5c9f9da8d40ae474e78b95cf03cab7fbfd31c63b516
Instruction Fuzzy Hash: 8D91B431A08E4246E7A4AF15A84467AA3A9AF44FB4F981731D97E437D4DFBCE50CC720

Function 00007FF712FA2AE0 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 217
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL ref: 00007FF712FA2B1C
VirtualFree.KERNEL32 ref: 00007FF712FA2B3B
VirtualAlloc.KERNEL32 ref: 00007FF712FA2B50
NtQuerySystemInformation.NTDLL ref: 00007FF712FA2B69
GetCurrentProcessId.KERNEL32 ref: 00007FF712FA2BD1
VirtualFree.KERNEL32 ref: 00007FF712FA2C14
memset.VCRUNTIME140 ref: 00007FF712FA2D16
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA2D50
DeviceIoControl.KERNEL32 ref: 00007FF712FA2DBC
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA2DEE
VirtualFree.KERNEL32 ref: 00007FF712FA2E4C

Strings

[!] Failed to find driver_object, xrefs: 00007FF712FA2E24
[!] Failed to find driver_section, xrefs: 00007FF712FA2E18
[!] Failed to read driver name, xrefs: 00007FF712FA2D33
[!] Failed to find driver name, xrefs: 00007FF712FA2E0C
[+] MmUnloadedDrivers Cleaned: , xrefs: 00007FF712FA2DCD
[!] Failed to write driver name length, xrefs: 00007FF712FA2E00
[!] Failed to find device_object, xrefs: 00007FF712FA2E30

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@Virtual$Free$??6?$basic_ostream@_InformationQuerySystemU?$char_traits@_V01@@W@std@@@std@@$AllocControlCurrentDeviceProcessmemset
String ID: [!] Failed to find device_object$[!] Failed to find driver name$[!] Failed to find driver_object$[!] Failed to find driver_section$[!] Failed to read driver name$[!] Failed to write driver name length$[+] MmUnloadedDrivers Cleaned:
API String ID: 2853312854-3011715350
Opcode ID: 38505e44c8f792e61f5d08c413b57af3f2208e4c6ba873b9fada4e97e8a7058d
Instruction ID: 7d226cffaa8fbe543b800a559334496f65e3542d2921236ab50b3422b8f2e7db
Opcode Fuzzy Hash: 38505e44c8f792e61f5d08c413b57af3f2208e4c6ba873b9fada4e97e8a7058d
Instruction Fuzzy Hash: 1AA1D326F18E5185FB90AB60D4403F9A3A8AF45FA8F806535DE4E17A85DF7CD249C320

Function 00007FF712FA27A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 193memoryCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF712FA27FE

Part of subcall function 00007FF712FA2110: DeviceIoControl.KERNEL32 ref: 00007FF712FA2178

VirtualAlloc.KERNEL32 ref: 00007FF712FA28B1
VirtualFree.KERNEL32 ref: 00007FF712FA28E8
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF712FA2985
VirtualFree.KERNEL32 ref: 00007FF712FA29EB
VirtualFree.KERNEL32 ref: 00007FF712FA2A6E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA2AAA
VirtualFree.KERNEL32 ref: 00007FF712FA2ABC

Strings

PE, xrefs: 00007FF712FA285A

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$Free$AllocControlDevice_invalid_parameter_noinfo_noreturn_stricmpmemset
String ID: PE
API String ID: 2498276250-4258593460
Opcode ID: 83d08ce342eba4fe71f38f57fdd648a2ffd480915f11e032d2e26724f4d6a8e3
Instruction ID: 8b19f4e58f8822ae1340002e34dd087aebe168cdd327169b25267a6ef5c356bc
Opcode Fuzzy Hash: 83d08ce342eba4fe71f38f57fdd648a2ffd480915f11e032d2e26724f4d6a8e3
Instruction Fuzzy Hash: 1C81C422B18E9186EAA0DB15E44036AA3A5FB89FE0F805235DE9E47BD4DF7CD485C710

Function 00007FF712FAD960 Relevance: 13.6, APIs: 9, Instructions: 141nativememoryCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00007FF712FAD993
VirtualFree.KERNEL32 ref: 00007FF712FAD9B0
VirtualAlloc.KERNEL32 ref: 00007FF712FAD9C6
NtQuerySystemInformation.NTDLL ref: 00007FF712FAD9E1
VirtualFree.KERNEL32 ref: 00007FF712FADA02
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF712FADAA1
VirtualFree.KERNEL32 ref: 00007FF712FADAFD
VirtualFree.KERNEL32 ref: 00007FF712FADB37
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FADB71

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$Free$InformationQuerySystem$Alloc_invalid_parameter_noinfo_noreturn_stricmp
String ID:
API String ID: 562193759-0
Opcode ID: a6827c8cb0e67d0c1547f0d54e66abefa56636be2953ed64555038e0627ab9f0
Instruction ID: b573e95e590d705cbe5f2ae07e6cdddcc1321d8bdbb22c14e67fee83c55b028a
Opcode Fuzzy Hash: a6827c8cb0e67d0c1547f0d54e66abefa56636be2953ed64555038e0627ab9f0
Instruction Fuzzy Hash: 6451F562B18D4242EB60AB25E40032AE369FF89FF4F945231DA5E436E8DF7CD589C710

Function 00007FF712FAF350 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF712FAF36C
memset.VCRUNTIME140 ref: 00007FF712FAF390
RtlCaptureContext.KERNEL32 ref: 00007FF712FAF399
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF712FAF3B3
RtlVirtualUnwind.KERNEL32 ref: 00007FF712FAF3F4
memset.VCRUNTIME140 ref: 00007FF712FAF427
IsDebuggerPresent.KERNEL32 ref: 00007FF712FAF448
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF712FAF469
UnhandledExceptionFilter.KERNEL32 ref: 00007FF712FAF474

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: f21188de37aeb5afc46f91044c5946636237b3ed6d310189bcc352f84bb1039d
Instruction ID: 9834ff29567877f9d8d60fe1bcbbbba493d628cd6fd319c01d9f50ed9368b679
Opcode Fuzzy Hash: f21188de37aeb5afc46f91044c5946636237b3ed6d310189bcc352f84bb1039d
Instruction Fuzzy Hash: C2311072609F8186EB60AF60E8503EEB368FB44754F844539DA4E47A94DF7DD64CC720

Function 00007FF712FACA10 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 253COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF712FACDB3

Part of subcall function 00007FF712FAE8F8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF712FA7B5F,?,?,?,?,?,?,?,?,?,00007FF712FA1347), ref: 00007FF712FAE912

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FACDAC

Strings

gfffffff, xrefs: 00007FF712FACA34
gfffffff, xrefs: 00007FF712FACD2F

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID: gfffffff$gfffffff
API String ID: 1934640635-161084747
Opcode ID: 010f5592cb0d9fc498b0c71bf68df1184c5ce5cc269122a349b309fca8d1a99a
Instruction ID: 64e1d6d11ea0fb23216955c42aa5f813ab23d94555f2d1b5f04cc055765fcd4b
Opcode Fuzzy Hash: 010f5592cb0d9fc498b0c71bf68df1184c5ce5cc269122a349b309fca8d1a99a
Instruction Fuzzy Hash: 7FA1BDA2B05F8982DA40DF1AE4442ADB3A8F758F94F94A232DB8D47754DF78E5D9C300

Function 00007FF712FAE6B8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF712FAE719
IsDebuggerPresent.KERNEL32 ref: 00007FF712FAE731
OutputDebugStringW.KERNEL32 ref: 00007FF712FAE742

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF712FAE73B

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: bcd55b3d286835cf1a62951183ea9edb53974f4268d9f7ab121b0164fac76e01
Instruction ID: 1ef1629f9eb9036c6746f644673f0cf879321750a14c539526c2b72dc9711fc8
Opcode Fuzzy Hash: bcd55b3d286835cf1a62951183ea9edb53974f4268d9f7ab121b0164fac76e01
Instruction Fuzzy Hash: D2113D32A14F8693E744AB22D5453BA72A8FB44BA4F846135C65D82A50EFBCE57CC720

Function 00007FF712FAF568 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF712FAF594
GetCurrentThreadId.KERNEL32 ref: 00007FF712FAF5A2
GetCurrentProcessId.KERNEL32 ref: 00007FF712FAF5AE
QueryPerformanceCounter.KERNEL32 ref: 00007FF712FAF5BE

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 0f809ddf23e613b9863d94562b26c7da8db40f52779d4d40cce25ed7be15b6b9
Instruction ID: 1e08ae8d19e1bccb8dfaed620793deb7d26c36797f22a474a9a49c1f05efcec9
Opcode Fuzzy Hash: 0f809ddf23e613b9863d94562b26c7da8db40f52779d4d40cce25ed7be15b6b9
Instruction Fuzzy Hash: 53113026B14F018AEB00DF60E8542B973A8F719B68F841E31DE6D467A8DFB8D168C350

Function 00007FF712FADFB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,00000000,00007FF712FA8745), ref: 00007FF712FADFDA
FormatMessageA.KERNEL32 ref: 00007FF712FAE009

Strings

!x-sys-default-locale, xrefs: 00007FF712FADFCD

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: 7b80c0e6822295a2a94d171d0d86f889474afe5b04160ea12453b2c0eed50d1b
Instruction ID: 885df49355a7c0363096651eb89d929c03ca3dc04c7759e00cef2050dfae0577
Opcode Fuzzy Hash: 7b80c0e6822295a2a94d171d0d86f889474afe5b04160ea12453b2c0eed50d1b
Instruction Fuzzy Hash: 5601B172B18BC582E7509B22F4407BAA7A5F788BE4F848135EA4D52B88CF7CD509CB10

Function 00007FF712FAC3C0 Relevance: 3.3, APIs: 2, Instructions: 292COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF712FAC7D6

Part of subcall function 00007FF712FAE8F8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF712FA7B5F,?,?,?,?,?,?,?,?,?,00007FF712FA1347), ref: 00007FF712FAE912

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAC7CF

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1934640635-0
Opcode ID: 88029f5556c40cb426cccf541cdd8e96023e4c304d04049f2f29d21126134cac
Instruction ID: b6671bf6fbbad7cdff5aaa5e384e39c756d824f2975720aefe944ecb3d36633e
Opcode Fuzzy Hash: 88029f5556c40cb426cccf541cdd8e96023e4c304d04049f2f29d21126134cac
Instruction Fuzzy Hash: 90B1BD73A04F8982DA40DF15E5446ADB3A8F799BE4F94A23AEB8C07745DF78D198C310

Function 00007FF712FAF4FC Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b18bb9ead59f1387bb93b2c7675af822d3acc4b7cae2a4d02b9e433fd9b8b99
Instruction ID: d8b4f3e88a65da92121889bf1ab3adc6259a5bf5d65d8e8b0c7ead9799da952b
Opcode Fuzzy Hash: 9b18bb9ead59f1387bb93b2c7675af822d3acc4b7cae2a4d02b9e433fd9b8b99
Instruction Fuzzy Hash: 24A0022190CC42D9E654AF10F854532A338FB53BA0FC05231C04D951A49FBDF50DC720

Function 00007FF712FA3300 Relevance: 70.4, APIs: 20, Strings: 20, Instructions: 365
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF712FA3B10: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,00007FF712FA3350), ref: 00007FF712FA3B85

Part of subcall function 00007FF712FA3B10: memcmp.VCRUNTIME140(?,?,?,00007FF712FA3350), ref: 00007FF712FA3C10

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA33DB

Part of subcall function 00007FF712FA3B10: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,00007FF712FA3350), ref: 00007FF712FA3C82

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA33FE
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF712FA344E
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z.MSVCP140 ref: 00007FF712FA345E
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA346E
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF712FA3491
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z.MSVCP140 ref: 00007FF712FA34A1
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA34B1

Part of subcall function 00007FF712FA5910: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(FFFFFFFF,00000000,?,?,?,00007FF712FA15D3), ref: 00007FF712FA598A
Part of subcall function 00007FF712FA5910: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA59AA
Part of subcall function 00007FF712FA5910: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA59BA
Part of subcall function 00007FF712FA5910: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5A9D
Part of subcall function 00007FF712FA5910: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5AA4
Part of subcall function 00007FF712FA5910: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5AB1

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA355A

Part of subcall function 00007FF712FA1800: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA14AE

Part of subcall function 00007FF712FA3120: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA3255
Part of subcall function 00007FF712FA3120: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA32A7

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA3902
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA394C

Strings

[+] PiDDBCacheTable Cleaned, xrefs: 00007FF712FA38B5
[-] Can't delete from PiDDBCacheTable, xrefs: 00007FF712FA37FE
xxxxxx????xxxxx????xxx????xxxxx????x????xx?x, xrefs: 00007FF712FA3331
[+] PiDDBCacheTable Ptr 0x, xrefs: 00007FF712FA3474
xxx????xxxxx????xxx????x????x, xrefs: 00007FF712FA3390
[-] Warning PiDDBCacheTable not found, xrefs: 00007FF712FA342F
[+] PiDDBLock Ptr 0x, xrefs: 00007FF712FA3438
RtlDeleteElementGenericTableAvl, xrefs: 00007FF712FA374B
[+] Found Table Entry = 0x, xrefs: 00007FF712FA35E9
[-] Warning PiDDBLock not found, xrefs: 00007FF712FA33C5
[-] Can't set prev entry, xrefs: 00007FF712FA38DC
[-] Can't set next entry, xrefs: 00007FF712FA38E5
[+] PiDDBLock found with second pattern, xrefs: 00007FF712FA33E8
[-] Can't lock PiDDBCacheTable, xrefs: 00007FF712FA3538
[!] Failed to find RtlDeleteElementGenericTableAvl, xrefs: 00007FF712FA37DB
[-] Can't get prev entry, xrefs: 00007FF712FA35B1
[-] Not found in cache, xrefs: 00007FF712FA358B
xxxxxx, xrefs: 00007FF712FA3357
[-] Can't get next entry, xrefs: 00007FF712FA35DD
[+] PiDDBLock Locked, xrefs: 00007FF712FA3544

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@_$V01@@$_invalid_parameter_noinfo_noreturn$?good@ios_base@std@@D@std@@@std@@U?$char_traits@V01@_V21@@Vios_base@1@$?flush@?$basic_ostream@?setstate@?$basic_ios@_?uncaught_exception@std@@Osfx@?$basic_ostream@V12@memcmp
String ID: RtlDeleteElementGenericTableAvl$[!] Failed to find RtlDeleteElementGenericTableAvl$[+] Found Table Entry = 0x$[+] PiDDBCacheTable Cleaned$[+] PiDDBCacheTable Ptr 0x$[+] PiDDBLock Locked$[+] PiDDBLock Ptr 0x$[+] PiDDBLock found with second pattern$[-] Can't delete from PiDDBCacheTable$[-] Can't get next entry$[-] Can't get prev entry$[-] Can't lock PiDDBCacheTable$[-] Can't set next entry$[-] Can't set prev entry$[-] Not found in cache$[-] Warning PiDDBCacheTable not found$[-] Warning PiDDBLock not found$xxx????xxxxx????xxx????x????x$xxxxxx$xxxxxx????xxxxx????xxx????xxxxx????x????xx?x
API String ID: 1542962237-602910616
Opcode ID: de307530e1b32bcf96bd40a67294a47ad79291bfcd60a9b686066fc2fc3c7b59
Instruction ID: c94858cc27f0737c82fa4d4662a9128da87332755a3836041f5f3d5baceb0242
Opcode Fuzzy Hash: de307530e1b32bcf96bd40a67294a47ad79291bfcd60a9b686066fc2fc3c7b59
Instruction Fuzzy Hash: EE023965F18F4295FB40EB65E8506A9A3A9FB44BA4FC06535D90E17B64DFBCE20CC320

Function 00007FF712FAAB80 Relevance: 58.1, APIs: 19, Strings: 14, Instructions: 314
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 00007FF712FAAC0E
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FAAF87
VirtualFree.KERNEL32 ref: 00007FF712FAAF98
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FAB05E

Strings

[-] Invalid format of PE image, xrefs: 00007FF712FAB041
[+] DriverEntry returned 0x, xrefs: 00007FF712FAAFBD
[+] Skipped 0x, xrefs: 00007FF712FAAE2D
[-] Failed to write local image to remote image, xrefs: 00007FF712FAAEDE
[-] Failed to resolve imports, xrefs: 00007FF712FAAEB1
[-] Failed to allocate remote image in kernel, xrefs: 00007FF712FAAD5B, 00007FF712FAAD91
[<] Calling DriverEntry 0x, xrefs: 00007FF712FAAEF1
[!] Failed to find ExAllocatePool, xrefs: 00007FF712FAAD34
[-] Failed to call driver entry, xrefs: 00007FF712FAAF6A
bytes of PE Header, xrefs: 00007FF712FAAE5F
ExAllocatePoolWithTag, xrefs: 00007FF712FAACB0
[+] Image base has been allocated at 0x, xrefs: 00007FF712FAAD9D
[-] Image is not 64 bit, xrefs: 00007FF712FAABF1
[-] Callback returns false, failed!, xrefs: 00007FF712FAAF35

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_V01@@VirtualW@std@@@std@@$AllocFree
String ID: bytes of PE Header$ExAllocatePoolWithTag$[!] Failed to find ExAllocatePool$[+] DriverEntry returned 0x$[+] Image base has been allocated at 0x$[+] Skipped 0x$[-] Callback returns false, failed!$[-] Failed to allocate remote image in kernel$[-] Failed to call driver entry$[-] Failed to resolve imports$[-] Failed to write local image to remote image$[-] Image is not 64 bit$[-] Invalid format of PE image$[<] Calling DriverEntry 0x
API String ID: 284350539-3204775764
Opcode ID: 8309aa031f3fe7d1f52456a86aea006dcbd6712e816aa191e5cc85707655c4ef
Instruction ID: c2ad7a619fdcb492df9e687420e0385da8144d8f9056570ceac62f615b9ad963
Opcode Fuzzy Hash: 8309aa031f3fe7d1f52456a86aea006dcbd6712e816aa191e5cc85707655c4ef
Instruction Fuzzy Hash: 55E16B65F18E0286FB50EB65E8402B9A369BB44FA4FC05532DE0D47795EEBCE64CC360

Function 00007FF712FACF50 Relevance: 56.3, APIs: 18, Strings: 14, Instructions: 263
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF712FA1800: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA14AE

Part of subcall function 00007FF712FA7E60: memmove.VCRUNTIME140 ref: 00007FF712FA7F63
Part of subcall function 00007FF712FA7E60: memmove.VCRUNTIME140 ref: 00007FF712FA7F73

RegCreateKeyW.ADVAPI32 ref: 00007FF712FAD033
RegSetKeyValueW.ADVAPI32 ref: 00007FF712FAD075
RegCloseKey.ADVAPI32 ref: 00007FF712FAD083

Part of subcall function 00007FF712FA11D0: ?_Xlength_error@std@@YAXPEBD@Z.MSVCP140 ref: 00007FF712FA11DB

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FAD0A6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAD0F1
RegSetKeyValueW.ADVAPI32 ref: 00007FF712FAD11B
RegCloseKey.ADVAPI32 ref: 00007FF712FAD129
RegCloseKey.ADVAPI32 ref: 00007FF712FAD13B
GetModuleHandleA.KERNEL32 ref: 00007FF712FAD148
GetProcAddress.KERNEL32 ref: 00007FF712FAD164
GetProcAddress.KERNEL32 ref: 00007FF712FAD177
RtlInitUnicodeString.NTDLL ref: 00007FF712FAD1F4
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF712FAD21F
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z.MSVCP140 ref: 00007FF712FAD22A
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FAD23A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAD289
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAD2FA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAD34F

Strings

\Registry\Machine\System\CurrentControlSet\Services\, xrefs: 00007FF712FAD1D1
Type, xrefs: 00007FF712FAD112
[-] Can't create 'Type' registry value, xrefs: 00007FF712FAD12F
ntdll.dll, xrefs: 00007FF712FAD141
\??\, xrefs: 00007FF712FAD009
[-] Can't create 'ImagePath' registry value, xrefs: 00007FF712FAD089
RtlAdjustPrivilege, xrefs: 00007FF712FAD15A
[-] Can't create service key, xrefs: 00007FF712FAD03D
4, xrefs: 00007FF712FAD1C8
SYSTEM\CurrentControlSet\Services\, xrefs: 00007FF712FACFC7
Fatal error: failed to acquire SE_LOAD_DRIVER_PRIVILEGE. Make sure you are running as administrator., xrefs: 00007FF712FAD193
[+] NtLoadDriver Status 0x, xrefs: 00007FF712FAD202
NtLoadDriver, xrefs: 00007FF712FAD16D
ImagePath, xrefs: 00007FF712FAD068

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@$_invalid_parameter_noinfo_noreturn$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$Close$AddressProcV01@@Valuememmove$CreateHandleInitModuleStringUnicodeV21@@Vios_base@1@Xlength_error@std@@
String ID: 4$Fatal error: failed to acquire SE_LOAD_DRIVER_PRIVILEGE. Make sure you are running as administrator.$ImagePath$NtLoadDriver$RtlAdjustPrivilege$SYSTEM\CurrentControlSet\Services\$Type$[+] NtLoadDriver Status 0x$[-] Can't create 'ImagePath' registry value$[-] Can't create 'Type' registry value$[-] Can't create service key$\??\$\Registry\Machine\System\CurrentControlSet\Services\$ntdll.dll
API String ID: 3141946345-3793529226
Opcode ID: 7dfcfe9bd8284bdd2360300c4de180c35d07c8d174683e2a2691aedab27e15b4
Instruction ID: f920fe85d5aa37236cae95b6f5af44f84c8c595f11c02c2029826853f663c645
Opcode Fuzzy Hash: 7dfcfe9bd8284bdd2360300c4de180c35d07c8d174683e2a2691aedab27e15b4
Instruction Fuzzy Hash: 4AC18121B18F4686FB40EB65E4443ADA369FB44BB8F805231DA5D53A98DFBCD24DC360

Function 00007FF712FAA6E0 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAA7C1
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FAA801
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FAA8EC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAA9A7
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FAA9E7

Part of subcall function 00007FF712FA79C0: memmove.VCRUNTIME140(00000000,?,?,?,00007FF712FA1347), ref: 00007FF712FA79F8

Part of subcall function 00007FF712FA27A0: memset.VCRUNTIME140 ref: 00007FF712FA27FE
Part of subcall function 00007FF712FA27A0: VirtualAlloc.KERNEL32 ref: 00007FF712FA28B1
Part of subcall function 00007FF712FA27A0: VirtualFree.KERNEL32 ref: 00007FF712FA28E8

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FAA824

Part of subcall function 00007FF712FAE880: AcquireSRWLockExclusive.KERNEL32 ref: 00007FF712FAE890

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAAAB3
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FAAAF3
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FAAB16
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FAAB65

Strings

[!] Failed to find MmAlocatePagesForMdl, xrefs: 00007FF712FAA7E4
[-] Can't read the _MDL : byteCount, xrefs: 00007FF712FAA8BB
MmMapLockedPagesSpecifyCache, xrefs: 00007FF712FAA94A
[-] Can't allocate pages for mdl, xrefs: 00007FF712FAA807
[-] Couldn't allocate enough memory, cleaning up, xrefs: 00007FF712FAA8CF
[+] Allocated pages for mdl, xrefs: 00007FF712FAAB48
MmAllocatePagesForMdl, xrefs: 00007FF712FAA764
[-] Can't set mdl pages cache, cleaning up., xrefs: 00007FF712FAA9ED
[!] Failed to find MmMapLockedPagesSpecifyCache, xrefs: 00007FF712FAA9CA
MmProtectMdlSystemAddress, xrefs: 00007FF712FAAA56
[-] Can't change protection for mdl pages, cleaning up, xrefs: 00007FF712FAAAF9
[!] Failed to find MmProtectMdlSystemAddress, xrefs: 00007FF712FAAAD6

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_V01@@W@std@@@std@@$_invalid_parameter_noinfo_noreturn$Virtual$AcquireAllocExclusiveFreeLockmemmovememset
String ID: MmAllocatePagesForMdl$MmMapLockedPagesSpecifyCache$MmProtectMdlSystemAddress$[!] Failed to find MmAlocatePagesForMdl$[!] Failed to find MmMapLockedPagesSpecifyCache$[!] Failed to find MmProtectMdlSystemAddress$[+] Allocated pages for mdl$[-] Can't allocate pages for mdl$[-] Can't change protection for mdl pages, cleaning up$[-] Can't read the _MDL : byteCount$[-] Can't set mdl pages cache, cleaning up.$[-] Couldn't allocate enough memory, cleaning up
API String ID: 3688386056-338763861
Opcode ID: b1a0454df157e8150791343c662980d3bc081e7deac5df9f32fa31baa35a9a36
Instruction ID: c5ca7eb4bd8afca023c8e981f3efbfc7246a7cbd8e0e2c44f26ac64fa513814e
Opcode Fuzzy Hash: b1a0454df157e8150791343c662980d3bc081e7deac5df9f32fa31baa35a9a36
Instruction Fuzzy Hash: 5AD1A125F18E0295FB40FB65E8546B9A369BF44BB4FC06632D91D026A5DFBCE24DC320

Function 00007FF712FAD3A0 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 177
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF712FAD3D5
RtlInitUnicodeString.NTDLL ref: 00007FF712FAD448
RegOpenKeyW.ADVAPI32 ref: 00007FF712FAD4A6
RegCloseKey.ADVAPI32 ref: 00007FF712FAD4BF
GetProcAddress.KERNEL32 ref: 00007FF712FAD4CF

Part of subcall function 00007FF712FA73F0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF712FA7469
Part of subcall function 00007FF712FA73F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF712FA7489
Part of subcall function 00007FF712FA73F0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF712FA7499
Part of subcall function 00007FF712FA73F0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF712FA7616
Part of subcall function 00007FF712FA73F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF712FA761D
Part of subcall function 00007FF712FA73F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF712FA762A

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF712FAD4FA
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z.MSVCP140 ref: 00007FF712FAD505
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FAD515
RegDeleteTreeW.ADVAPI32 ref: 00007FF712FAD576

Part of subcall function 00007FF712FA73F0: ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF712FA74C4
Part of subcall function 00007FF712FA73F0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF712FA7536
Part of subcall function 00007FF712FA73F0: ?widen@?$ctype@_W@std@@QEBA_WD@Z.MSVCP140 ref: 00007FF712FA757E
Part of subcall function 00007FF712FA73F0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF712FA758C

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FAD53C
RegDeleteTreeW.ADVAPI32 ref: 00007FF712FAD557
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAD5BD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAD612

Strings

\Registry\Machine\System\CurrentControlSet\Services\, xrefs: 00007FF712FAD425
[-] Driver Unload Failed!!, xrefs: 00007FF712FAD51F
ntdll.dll, xrefs: 00007FF712FAD3CE
[+] NtUnloadDriver Status 0x, xrefs: 00007FF712FAD4DD
SYSTEM\CurrentControlSet\Services\, xrefs: 00007FF712FAD47C
", xrefs: 00007FF712FAD473
NtUnloadDriver, xrefs: 00007FF712FAD4C5

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$V01@$??6?$basic_ostream@_$?good@ios_base@std@@?sputc@?$basic_streambuf@_D@std@@@std@@DeleteTreeU?$char_traits@V01@@_invalid_parameter_noinfo_noreturn$?flush@?$basic_ostream@?getloc@ios_base@std@@?setstate@?$basic_ios@_?uncaught_exception@std@@?widen@?$ctype@_AddressCloseHandleInitModuleOpenOsfx@?$basic_ostream@ProcStringUnicodeV12@V21@@Vios_base@1@Vlocale@2@W@std@@
String ID: "$NtUnloadDriver$SYSTEM\CurrentControlSet\Services\$[+] NtUnloadDriver Status 0x$[-] Driver Unload Failed!!$\Registry\Machine\System\CurrentControlSet\Services\$ntdll.dll
API String ID: 2867398276-3977549460
Opcode ID: 3225a9fea96ae8bd8283cac72da16987d13c0697cff0ef66a9a9ae835bc1f091
Instruction ID: a7fecd947fd3e3e551048e656397583ababa29415ef32650eb78c4bc812505e7
Opcode Fuzzy Hash: 3225a9fea96ae8bd8283cac72da16987d13c0697cff0ef66a9a9ae835bc1f091
Instruction Fuzzy Hash: 8C717022B19E4685EB40AF65D8942BD6369FB44BB8F806631D91D077D8DFBCE14DC320

Function 00007FF712FA1D20 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF712FA5910: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(FFFFFFFF,00000000,?,?,?,00007FF712FA15D3), ref: 00007FF712FA598A
Part of subcall function 00007FF712FA5910: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA59AA
Part of subcall function 00007FF712FA5910: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA59BA
Part of subcall function 00007FF712FA5910: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5A9D
Part of subcall function 00007FF712FA5910: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5AA4
Part of subcall function 00007FF712FA5910: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5AB1

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA1D70
CloseHandle.KERNEL32 ref: 00007FF712FA1D83

Part of subcall function 00007FF712FA1800: memset.VCRUNTIME140 ref: 00007FF712FA1545
Part of subcall function 00007FF712FA1800: GetTempPathW.KERNEL32 ref: 00007FF712FA1553
Part of subcall function 00007FF712FA1800: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA1673

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA1DD8
memset.VCRUNTIME140 ref: 00007FF712FA1E07

Part of subcall function 00007FF712FA52C0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF712FA52F3
Part of subcall function 00007FF712FA52C0: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF712FA5312
Part of subcall function 00007FF712FA52C0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF712FA5344
Part of subcall function 00007FF712FA52C0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF712FA535F
Part of subcall function 00007FF712FA52C0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF712FA53A9

rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF712FA1E28
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF712FA1E71
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z.MSVCP140 ref: 00007FF712FA1EAF
??7ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF712FA1EBF
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA1EED
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF712FA1F1A
_wremove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF712FA1F39
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF712FA1FBC
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF712FA1FC7
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF712FA1FD1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA2011

Strings

[<] Unloading vulnerable driver, xrefs: 00007FF712FA1D53
[!] Error dumping shit inside the disk, xrefs: 00007FF712FA1ECE
[+] Vul driver data destroyed before unlink, xrefs: 00007FF712FA1ED7

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$U?$char_traits@_W@std@@@std@@$V01@$?setstate@?$basic_ios@__invalid_parameter_noinfo_noreturn$??6?$basic_ostream@_?good@ios_base@std@@V01@@V12@memsetrand$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@??1?$basic_streambuf@??7ios_base@std@@?flush@?$basic_ostream@?uncaught_exception@std@@?write@?$basic_ostream@CloseD@std@@@1@_HandleInit@?$basic_streambuf@Osfx@?$basic_ostream@PathTempV?$basic_streambuf@_wremove
String ID: [!] Error dumping shit inside the disk$[+] Vul driver data destroyed before unlink$[<] Unloading vulnerable driver
API String ID: 4129958369-4078119036
Opcode ID: 9f41a970af408f980f7f6be4154a77ba25afd5a99f3374468b30b03b8a73c675
Instruction ID: 85b0f7b1dff661b5100f7b5ad87eef688ad3f798e0bdf4185707bbe927280916
Opcode Fuzzy Hash: 9f41a970af408f980f7f6be4154a77ba25afd5a99f3374468b30b03b8a73c675
Instruction Fuzzy Hash: E691E621B18E4685EF40EB25E4542BEA369FB84BE4F805132DA5E43BA8DFBCD54DC710

Function 00007FF712FA2660 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA272A
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA276A
GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF712FA68F4
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF712FA691C

Part of subcall function 00007FF712FAE880: AcquireSRWLockExclusive.KERNEL32 ref: 00007FF712FAE890

Part of subcall function 00007FF712FA79C0: memmove.VCRUNTIME140(00000000,?,?,?,00007FF712FA1347), ref: 00007FF712FA79F8

Part of subcall function 00007FF712FA27A0: memset.VCRUNTIME140 ref: 00007FF712FA27FE
Part of subcall function 00007FF712FA27A0: VirtualAlloc.KERNEL32 ref: 00007FF712FA28B1
Part of subcall function 00007FF712FA27A0: VirtualFree.KERNEL32 ref: 00007FF712FA28E8

Strings

[!] Failed to find ExAllocatePool, xrefs: 00007FF712FA274D
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF712FA6A4B
ntdll.dll, xrefs: 00007FF712FA68ED
ExFreePool, xrefs: 00007FF712FA26C9
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF712FA6959
[-] Failed to load ntdll.dll, xrefs: 00007FF712FA68FF
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF712FA6A9E
NtAddAtom, xrefs: 00007FF712FA6941, 00007FF712FA69C5

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_V01@@VirtualW@std@@@std@@$AcquireAllocExclusiveFreeHandleLockModule_invalid_parameter_noinfo_noreturnmemmovememset
String ID: ExFreePool$NtAddAtom$[!] Failed to find ExAllocatePool$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 621326978-3600435281
Opcode ID: 35a6a69c4b559fda76afb814e073c28b3a3aade04ab1958f2d6355325d3efe4f
Instruction ID: 6ef738ceeff74fbdb7688a5a8532fd53b0888f5c7edaa654f0ff789cd2a7b51d
Opcode Fuzzy Hash: 35a6a69c4b559fda76afb814e073c28b3a3aade04ab1958f2d6355325d3efe4f
Instruction Fuzzy Hash: F891D165E1CE8685FE50FB11E840179A369FF89BB0FC06632D95D026A5DFACE58CC720

Function 00007FF712FA2FE0 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,-0000000A,00007FF712FA3913), ref: 00007FF712FA30AA
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,-0000000A,00007FF712FA3913), ref: 00007FF712FA30EA
GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF712FA6D54
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF712FA6D7C

Part of subcall function 00007FF712FAE880: AcquireSRWLockExclusive.KERNEL32 ref: 00007FF712FAE890

Part of subcall function 00007FF712FA79C0: memmove.VCRUNTIME140(00000000,?,?,?,00007FF712FA1347), ref: 00007FF712FA79F8

Part of subcall function 00007FF712FA27A0: memset.VCRUNTIME140 ref: 00007FF712FA27FE
Part of subcall function 00007FF712FA27A0: VirtualAlloc.KERNEL32 ref: 00007FF712FA28B1
Part of subcall function 00007FF712FA27A0: VirtualFree.KERNEL32 ref: 00007FF712FA28E8

Strings

[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF712FA6EAB
ntdll.dll, xrefs: 00007FF712FA6D4D
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF712FA6DB9
[-] Failed to load ntdll.dll, xrefs: 00007FF712FA6D5F
ExReleaseResourceLite, xrefs: 00007FF712FA3049
[!] Failed to find ExReleaseResourceLite, xrefs: 00007FF712FA30CD
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF712FA6EFE
NtAddAtom, xrefs: 00007FF712FA6DA1, 00007FF712FA6E25

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_V01@@VirtualW@std@@@std@@$AcquireAllocExclusiveFreeHandleLockModule_invalid_parameter_noinfo_noreturnmemmovememset
String ID: ExReleaseResourceLite$NtAddAtom$[!] Failed to find ExReleaseResourceLite$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 621326978-1591343369
Opcode ID: 6b962467ddfba5b2656cd2cc873b8025575b50b9285f08327b7f6a6e9a5d0ace
Instruction ID: 825fb5e8e42e0367c7a4548bac75926c1c860ddc9d36888745da5199ee9fe1ba
Opcode Fuzzy Hash: 6b962467ddfba5b2656cd2cc873b8025575b50b9285f08327b7f6a6e9a5d0ace
Instruction Fuzzy Hash: AE919165E1CE8285EE50EB15E840179E369FF85BB4FC06232E95D026A5DFACE64CC720

Function 00007FF712FA21B0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeviceIoControl.KERNEL32 ref: 00007FF712FA2233
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF712FA2256
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA2266
DeviceIoControl.KERNEL32 ref: 00007FF712FA22D6
DeviceIoControl.KERNEL32 ref: 00007FF712FA2357
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF712FA237A
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA238A
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF712FA23D6
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA23E6

Part of subcall function 00007FF712FA5910: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(FFFFFFFF,00000000,?,?,?,00007FF712FA15D3), ref: 00007FF712FA598A
Part of subcall function 00007FF712FA5910: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA59AA
Part of subcall function 00007FF712FA5910: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA59BA
Part of subcall function 00007FF712FA5910: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5A9D
Part of subcall function 00007FF712FA5910: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5AA4
Part of subcall function 00007FF712FA5910: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5AB1

Strings

[-] Failed to map IO space of 0x, xrefs: 00007FF712FA23C4
[!] Failed to unmap IO space of physical address 0x, xrefs: 00007FF712FA2368
[-] Failed to translate virtual address 0x, xrefs: 00007FF712FA2244

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@_$ControlDeviceV01@@$?good@ios_base@std@@D@std@@@std@@U?$char_traits@$?flush@?$basic_ostream@?setstate@?$basic_ios@_?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID: [!] Failed to unmap IO space of physical address 0x$[-] Failed to map IO space of 0x$[-] Failed to translate virtual address 0x
API String ID: 2804743284-3202290428
Opcode ID: 162662bb59d799316a6c974aecfaca8f12dde749676955357c6bf86af9c4605b
Instruction ID: 631acef2130cd6441eb0b183a1835e3065e2c4809ac37d595141466c6458f9e5
Opcode Fuzzy Hash: 162662bb59d799316a6c974aecfaca8f12dde749676955357c6bf86af9c4605b
Instruction Fuzzy Hash: B2517E72B28F4185E7509F60E4403AEB3A9FB49B98F805535DA8D1BB58DF7CD219C320

Function 00007FF712FA6680 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 132libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF712FA66BA

Part of subcall function 00007FF712FA21B0: DeviceIoControl.KERNEL32 ref: 00007FF712FA2233
Part of subcall function 00007FF712FA21B0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF712FA2256
Part of subcall function 00007FF712FA21B0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA2266

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA66E2
GetProcAddress.KERNEL32 ref: 00007FF712FA6712
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA67ED

Strings

[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF712FA6812
ntdll.dll, xrefs: 00007FF712FA66B3
zErB, xrefs: 00007FF712FA688D
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF712FA6720
[-] Failed to load ntdll.dll, xrefs: 00007FF712FA66C5
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF712FA6865
NtAddAtom, xrefs: 00007FF712FA6708, 00007FF712FA678C

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll$zErB
API String ID: 154489249-1150816730
Opcode ID: ccfdf9cf086bcf52ff93ed99d56e4614018c142d2d1fbe7b32a9d3428c9187f3
Instruction ID: 1421cbd07f0bea8813025e8b3c3569f7b08315954a73202c1c22cb53dc49ffbc
Opcode Fuzzy Hash: ccfdf9cf086bcf52ff93ed99d56e4614018c142d2d1fbe7b32a9d3428c9187f3
Instruction Fuzzy Hash: B651D065E1CE8284FE50EB15E840279E369FF85BB0FC06132E98C066A5DFACE54CC720

Function 00007FF712FA5D80 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 138libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF712FA5DBE

Part of subcall function 00007FF712FA21B0: DeviceIoControl.KERNEL32 ref: 00007FF712FA2233
Part of subcall function 00007FF712FA21B0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF712FA2256
Part of subcall function 00007FF712FA21B0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA2266

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA5DE6
GetProcAddress.KERNEL32 ref: 00007FF712FA5E13
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA5EEE

Strings

[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF712FA5F13
ntdll.dll, xrefs: 00007FF712FA5DB7
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF712FA5E21
[-] Failed to load ntdll.dll, xrefs: 00007FF712FA5DC9
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF712FA5F66
NtAddAtom, xrefs: 00007FF712FA5E09, 00007FF712FA5E8D

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 154489249-2622504768
Opcode ID: 6c82ed449f77fedcfdb10a14f5d4163b338979a8116fa6d4a25449e195b1524a
Instruction ID: 70b14aebc361e2c293739d59f9bda785a20b8c840d95516aa7a74ffa70b2852e
Opcode Fuzzy Hash: 6c82ed449f77fedcfdb10a14f5d4163b338979a8116fa6d4a25449e195b1524a
Instruction Fuzzy Hash: 41517E65E1CE8281FA84EB11F844679A369FF95BB0FC06132E94D026A5DFBCE54CC720

Function 00007FF712FA6F50 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 137libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,-0000000A,00000000,?,00007FF712FA381E), ref: 00007FF712FA6F98

Part of subcall function 00007FF712FA21B0: DeviceIoControl.KERNEL32 ref: 00007FF712FA2233
Part of subcall function 00007FF712FA21B0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF712FA2256
Part of subcall function 00007FF712FA21B0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA2266

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,00000000,?,-0000000A,00000000,?,00007FF712FA381E), ref: 00007FF712FA6FC0
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,-0000000A,00000000,?,00007FF712FA381E), ref: 00007FF712FA6FF3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA70CE

Strings

[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF712FA70F3
ntdll.dll, xrefs: 00007FF712FA6F91
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF712FA7001
[-] Failed to load ntdll.dll, xrefs: 00007FF712FA6FA3
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF712FA7146
NtAddAtom, xrefs: 00007FF712FA6FE9, 00007FF712FA706D

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 154489249-2622504768
Opcode ID: 0598adac2f8279ac81a5400ede25dfba72f8451464c405e602607c560cc616fa
Instruction ID: f1e424d68fc0a021c8e3139117ee162f3c427119af50d30996a827b86eb45735
Opcode Fuzzy Hash: 0598adac2f8279ac81a5400ede25dfba72f8451464c405e602607c560cc616fa
Instruction Fuzzy Hash: 7351C265E1CE8284FE54EB11E840579E369EF85BB0FC06132E95D036A9DFACE54DC720

Function 00007FF712FA71A0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 137libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF712FA71E8

Part of subcall function 00007FF712FA21B0: DeviceIoControl.KERNEL32 ref: 00007FF712FA2233
Part of subcall function 00007FF712FA21B0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF712FA2256
Part of subcall function 00007FF712FA21B0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA2266

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA7210
GetProcAddress.KERNEL32 ref: 00007FF712FA7243
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA731E

Strings

[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF712FA7343
ntdll.dll, xrefs: 00007FF712FA71E1
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF712FA7251
[-] Failed to load ntdll.dll, xrefs: 00007FF712FA71F3
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF712FA7396
NtAddAtom, xrefs: 00007FF712FA7239, 00007FF712FA72BD

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 154489249-2622504768
Opcode ID: 86984a702af20f0b40f524f1c749dc087346bc73c86c58b57c2b0be3829f5aa6
Instruction ID: 663505d52e29e0045639960b78e006b83bae81cd8465b46df716f8ae5e17ef89
Opcode Fuzzy Hash: 86984a702af20f0b40f524f1c749dc087346bc73c86c58b57c2b0be3829f5aa6
Instruction Fuzzy Hash: 60518065A1CE8281FA54EB11E44057EE369FF85BB0FC06532EE4E026A5DEACE548C720

Function 00007FF712FA6200 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 137libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF712FA2527), ref: 00007FF712FA6248

Part of subcall function 00007FF712FA21B0: DeviceIoControl.KERNEL32 ref: 00007FF712FA2233
Part of subcall function 00007FF712FA21B0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF712FA2256
Part of subcall function 00007FF712FA21B0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA2266

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF712FA2527), ref: 00007FF712FA6270
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF712FA2527), ref: 00007FF712FA62A3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA637E

Strings

[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF712FA63A3
ntdll.dll, xrefs: 00007FF712FA6241
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF712FA62B1
[-] Failed to load ntdll.dll, xrefs: 00007FF712FA6253
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF712FA63F6
NtAddAtom, xrefs: 00007FF712FA6299, 00007FF712FA631D

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 154489249-2622504768
Opcode ID: a7aeee728203d2310d110607a9d1e2b9a6b044daf8f70859b1a0bd4e70a64d5d
Instruction ID: b9695330a5b5415162be71c6b88c1f5235b40c403f0ba0557e5b24e587018294
Opcode Fuzzy Hash: a7aeee728203d2310d110607a9d1e2b9a6b044daf8f70859b1a0bd4e70a64d5d
Instruction Fuzzy Hash: 7951A165E1CE8284FE50EB11E8401B9E369FF85BB0FC06532EA5D026A5DFACE54DC720

Function 00007FF712FA5B30 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 136libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF712FA5B6B

Part of subcall function 00007FF712FA21B0: DeviceIoControl.KERNEL32 ref: 00007FF712FA2233
Part of subcall function 00007FF712FA21B0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF712FA2256
Part of subcall function 00007FF712FA21B0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA2266

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA5B93
GetProcAddress.KERNEL32 ref: 00007FF712FA5BBD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA5C98

Strings

[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF712FA5CBD
ntdll.dll, xrefs: 00007FF712FA5B64
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF712FA5BCB
[-] Failed to load ntdll.dll, xrefs: 00007FF712FA5B76
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF712FA5D10
NtAddAtom, xrefs: 00007FF712FA5BB3, 00007FF712FA5C37

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 154489249-2622504768
Opcode ID: 32dc34c0ae9ee0b6eba251c642774fc44b1622b33b1561fdd559461950f1189f
Instruction ID: ecbaed569806bdfe56129a4afa12542cd1a8e356300bd19ee96b9820f7e5e931
Opcode Fuzzy Hash: 32dc34c0ae9ee0b6eba251c642774fc44b1622b33b1561fdd559461950f1189f
Instruction Fuzzy Hash: 1351A0A5E1DE8280FA90EB11F8441B9A369EF85BB0FC06132D95D076A5DFACE54CC720

Function 00007FF712FA6AF0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 134libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF712FA2FC0), ref: 00007FF712FA6B2B

Part of subcall function 00007FF712FA21B0: DeviceIoControl.KERNEL32 ref: 00007FF712FA2233
Part of subcall function 00007FF712FA21B0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF712FA2256
Part of subcall function 00007FF712FA21B0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA2266

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF712FA2FC0), ref: 00007FF712FA6B53
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF712FA2FC0), ref: 00007FF712FA6B7D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA6C58

Strings

[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF712FA6C7D
ntdll.dll, xrefs: 00007FF712FA6B24
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF712FA6B8B
[-] Failed to load ntdll.dll, xrefs: 00007FF712FA6B36
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF712FA6CD0
NtAddAtom, xrefs: 00007FF712FA6B73, 00007FF712FA6BF7

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 154489249-2622504768
Opcode ID: c14c147c48265dd3acb890e12d03d46d933bbabdbd55ce446f90a33304c63688
Instruction ID: 1110230ed0a4e8a0298b75443701123aae90ef192eb894eb2cadf65131f6be15
Opcode Fuzzy Hash: c14c147c48265dd3acb890e12d03d46d933bbabdbd55ce446f90a33304c63688
Instruction Fuzzy Hash: D9519165E0CE8684FE50FB11A8401B9A369EF85BF0FC06132D95D036A5DFACE54CC720

Function 00007FF712FAB550 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 134libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF712FAB587

Part of subcall function 00007FF712FA21B0: DeviceIoControl.KERNEL32 ref: 00007FF712FA2233
Part of subcall function 00007FF712FA21B0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF712FA2256
Part of subcall function 00007FF712FA21B0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA2266

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FAB5AF
GetProcAddress.KERNEL32 ref: 00007FF712FAB5D9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAB6B4

Strings

[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF712FAB6D9
ntdll.dll, xrefs: 00007FF712FAB580
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF712FAB5E7
[-] Failed to load ntdll.dll, xrefs: 00007FF712FAB592
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF712FAB72C
NtAddAtom, xrefs: 00007FF712FAB5CF, 00007FF712FAB653

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 154489249-2622504768
Opcode ID: ac434236ce5727dbf312b3eb01a30ece9946ece8440f4d78977fb1a9973d4127
Instruction ID: e06143b338953df95364dfef69cfc591bcf406fce544e2a925869297eaa3be0f
Opcode Fuzzy Hash: ac434236ce5727dbf312b3eb01a30ece9946ece8440f4d78977fb1a9973d4127
Instruction Fuzzy Hash: AF51D465E0CE8680FA54EB15E440179E369EFA5BB0FC06532E94D077A9EFACE54CC720

Function 00007FF712FA5FD0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 134libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF712FA600B

Part of subcall function 00007FF712FA21B0: DeviceIoControl.KERNEL32 ref: 00007FF712FA2233
Part of subcall function 00007FF712FA21B0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF712FA2256
Part of subcall function 00007FF712FA21B0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA2266

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA6033
GetProcAddress.KERNEL32 ref: 00007FF712FA605D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA6138

Strings

[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF712FA615D
ntdll.dll, xrefs: 00007FF712FA6004
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF712FA606B
[-] Failed to load ntdll.dll, xrefs: 00007FF712FA6016
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF712FA61B0
NtAddAtom, xrefs: 00007FF712FA6053, 00007FF712FA60D7

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 154489249-2622504768
Opcode ID: 889e8801427a32611402ce252f494299d1af2096b2670724ac2c8730fc5814fc
Instruction ID: 85ef1f38796d4dcb6fb2d9de7b16dbbddbe378349d75ad289fc5df5954d430f9
Opcode Fuzzy Hash: 889e8801427a32611402ce252f494299d1af2096b2670724ac2c8730fc5814fc
Instruction Fuzzy Hash: 54518065E1CE8284FE80EB11E841279A769EF85FB0FC06136E95D036A5DFACE54DC720

Function 00007FF712FA6450 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 133libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF712FA2654), ref: 00007FF712FA648B

Part of subcall function 00007FF712FA21B0: DeviceIoControl.KERNEL32 ref: 00007FF712FA2233
Part of subcall function 00007FF712FA21B0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF712FA2256
Part of subcall function 00007FF712FA21B0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA2266

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF712FA2654), ref: 00007FF712FA64B3
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF712FA2654), ref: 00007FF712FA64DD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA65B8

Strings

[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF712FA65DD
ntdll.dll, xrefs: 00007FF712FA6484
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF712FA64EB
[-] Failed to load ntdll.dll, xrefs: 00007FF712FA6496
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF712FA6630
NtAddAtom, xrefs: 00007FF712FA64D3, 00007FF712FA6557

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 154489249-2622504768
Opcode ID: 19f761691804353067ecc0926fd1012f3672fb0e7a630a9f4463065463ea0e83
Instruction ID: 81cda1c39a3ffaac1327acdd8c93bb033cc720046d745a72104cb887f1207c32
Opcode Fuzzy Hash: 19f761691804353067ecc0926fd1012f3672fb0e7a630a9f4463065463ea0e83
Instruction Fuzzy Hash: 69518465E0CE8284FE90EB15E440579A369EF85BB0FC06532ED5D067A9DFACE54CC720

Function 00007FF712FA73F0 Relevance: 16.7, APIs: 11, Instructions: 174COMMON

Download Yara Rule

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF712FA7469
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF712FA7489
?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF712FA7499
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF712FA74C4

Part of subcall function 00007FF712FA7770: ??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF712FA587A), ref: 00007FF712FA779D
Part of subcall function 00007FF712FA7770: ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF712FA587A), ref: 00007FF712FA77B7
Part of subcall function 00007FF712FA7770: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF712FA587A), ref: 00007FF712FA77E9
Part of subcall function 00007FF712FA7770: ?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF712FA587A), ref: 00007FF712FA7814
Part of subcall function 00007FF712FA7770: std::_Facet_Register.LIBCPMT ref: 00007FF712FA782D
Part of subcall function 00007FF712FA7770: ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF712FA587A), ref: 00007FF712FA784C

?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF712FA7536
?widen@?$ctype@_W@std@@QEBA_WD@Z.MSVCP140 ref: 00007FF712FA757E
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF712FA758C
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF712FA7616
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF712FA761D
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF712FA762A

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$?good@ios_base@std@@?sputc@?$basic_streambuf@_D@std@@@std@@Lockit@std@@U?$char_traits@W@std@@$??0_??1_?flush@?$basic_ostream@?getloc@ios_base@std@@?setstate@?$basic_ios@_?uncaught_exception@std@@?widen@?$ctype@_Bid@locale@std@@Facet_Getcat@?$ctype@_Getgloballocale@locale@std@@Locimp@12@Osfx@?$basic_ostream@RegisterV12@V42@@Vfacet@locale@2@Vlocale@2@std::_
String ID:
API String ID: 2973256615-0
Opcode ID: 6e30b972e05837cadb7f8be51d6bda803ea3bc5b1344eee3df67cfc917f53fab
Instruction ID: b9604bee500374127a6dd7432b64e95ec409ddc8e362da1d78528ec863417329
Opcode Fuzzy Hash: 6e30b972e05837cadb7f8be51d6bda803ea3bc5b1344eee3df67cfc917f53fab
Instruction Fuzzy Hash: 79616A22A08E4185EB64AF1AE59063DE7A4FB84FA5F94D531CE4F437A0CE7DD44AC310

Function 00007FF712FA91E0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF712FA8AC0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA8BBC

_CxxThrowException.VCRUNTIME140 ref: 00007FF712FA9233
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF712FA9290
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z.MSVCP140 ref: 00007FF712FA929E
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF712FA9271

Part of subcall function 00007FF712FA5910: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5A07

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA92C3

Part of subcall function 00007FF712FA5910: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(FFFFFFFF,00000000,?,?,?,00007FF712FA15D3), ref: 00007FF712FA598A
Part of subcall function 00007FF712FA5910: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA59AA
Part of subcall function 00007FF712FA5910: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA59BA
Part of subcall function 00007FF712FA5910: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5A9D
Part of subcall function 00007FF712FA5910: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5AA4
Part of subcall function 00007FF712FA5910: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5AB1

Strings

exists, xrefs: 00007FF712FA91F4
[!!] Crash at addr 0x, xrefs: 00007FF712FA925B
by 0x, xrefs: 00007FF712FA927A
[!!] Crash, xrefs: 00007FF712FA92AD

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$V01@$??6?$basic_ostream@_$?good@ios_base@std@@D@std@@@std@@U?$char_traits@$?flush@?$basic_ostream@?setstate@?$basic_ios@_?sputc@?$basic_streambuf@_?uncaught_exception@std@@ExceptionOsfx@?$basic_ostream@ThrowV01@@V12@V21@@Vios_base@1@_invalid_parameter_noinfo_noreturn
String ID: by 0x$[!!] Crash$[!!] Crash at addr 0x$exists
API String ID: 1962189573-3783130642
Opcode ID: cb8aec755a4dff07834bb78939aba83dae9edfddd6cf4031469c8ad0a235181d
Instruction ID: 1fb41666efe0d2e4a0a550295a43e026d147dbdfb026b99481a77c6afdd47e62
Opcode Fuzzy Hash: cb8aec755a4dff07834bb78939aba83dae9edfddd6cf4031469c8ad0a235181d
Instruction Fuzzy Hash: E1219165E28D4681FF50FB15E8542B5A368FF88BA4FC06131D94E07665EFACE24CC720

Function 00007FF712FAB780 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF712FAB7F9
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF712FAB819
?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF712FAB829
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF712FAB876
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF712FAB89D
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF712FAB8BE
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF712FAB904
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF712FAB90B
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF712FAB918

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@U?$char_traits@_V12@W@std@@@std@@
String ID:
API String ID: 2083409246-0
Opcode ID: 995241264b72de41830260dbbeacee41ba42a18de3e4f02d7f4f7901d45b0976
Instruction ID: 75ba818daf071ce54fc05d98af6cb0d224ef79497ec728ef195703974452cea6
Opcode Fuzzy Hash: 995241264b72de41830260dbbeacee41ba42a18de3e4f02d7f4f7901d45b0976
Instruction Fuzzy Hash: DC516032A08E4581EB60AF1DE490639E764FF94FA1F55D531CA4E437A0DF79D44AC310

Function 00007FF712FA7FA0 Relevance: 13.6, APIs: 9, Instructions: 134COMMON

Download Yara Rule

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF712FA800B
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF712FA802B
?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF712FA803B
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF712FA8088
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF712FA80B6
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF712FA80D7
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF712FA811E
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF712FA8125
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF712FA8132

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@U?$char_traits@_W@std@@@std@@$?good@ios_base@std@@?sputc@?$basic_streambuf@_$?flush@?$basic_ostream@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 1647946921-0
Opcode ID: 2f02b737f9279430c0173249664ba262c41aeca312119fbd8b4292766f3a03f4
Instruction ID: c9a1e0f31692a5a531e8869f61e90161a3e300b16d1b5e733394afc055550c2f
Opcode Fuzzy Hash: 2f02b737f9279430c0173249664ba262c41aeca312119fbd8b4292766f3a03f4
Instruction Fuzzy Hash: E9511D32608E4181EB60AF1AE590639E7A4FF84FA5F55D532CE4E43B60CEBDD54AC310

Function 00007FF712FABA70 Relevance: 13.6, APIs: 9, Instructions: 131COMMON

Download Yara Rule

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF712FABAD5
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF712FABAF5
?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF712FABB05
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF712FABB4C
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF712FABB79
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF712FABB9A
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF712FABBE0
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF712FABBE7
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF712FABBF4

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@U?$char_traits@_V12@W@std@@@std@@
String ID:
API String ID: 2083409246-0
Opcode ID: 2862dfad34ac5828d1a006ccca6c2ac85844cf3bb21fc956f02b1988b8e75b98
Instruction ID: 48cbbf16df4477771a1701ed6465a05d88f3a9ca1acbd191744c48cabec5d01f
Opcode Fuzzy Hash: 2862dfad34ac5828d1a006ccca6c2ac85844cf3bb21fc956f02b1988b8e75b98
Instruction Fuzzy Hash: 9C515E22A09E4582EB60AF1AE4D0239E7A4EF94FE1F55D931CE4E437A4DE7DD44AC310

Function 00007FF712FAB190 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 262COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF712FAD960: NtQuerySystemInformation.NTDLL ref: 00007FF712FAD993
Part of subcall function 00007FF712FAD960: VirtualFree.KERNEL32 ref: 00007FF712FAD9B0
Part of subcall function 00007FF712FAD960: VirtualAlloc.KERNEL32 ref: 00007FF712FAD9C6
Part of subcall function 00007FF712FAD960: NtQuerySystemInformation.NTDLL ref: 00007FF712FAD9E1
Part of subcall function 00007FF712FAD960: VirtualFree.KERNEL32 ref: 00007FF712FADA02

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FAB2DE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAB3F3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAB47C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAB504

Strings

[-] Failed to resolve import , xrefs: 00007FF712FAB23C
wasn't found, xrefs: 00007FF712FAB2C5
[-] Dependency , xrefs: 00007FF712FAB299

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: Virtual_invalid_parameter_noinfo_noreturn$FreeInformationQuerySystemV01@$??6?$basic_ostream@_AllocU?$char_traits@_V01@@W@std@@@std@@
String ID: wasn't found$[-] Dependency $[-] Failed to resolve import
API String ID: 1004173435-3042260135
Opcode ID: 645e99253ffd2f566eefbc96e6a7edf7e8775c11949c8009a4399fe78bdfe6de
Instruction ID: 903785664e824102cd575509132cee2d9d082d5c2a1e7b73808cdcc3b9176bb8
Opcode Fuzzy Hash: 645e99253ffd2f566eefbc96e6a7edf7e8775c11949c8009a4399fe78bdfe6de
Instruction Fuzzy Hash: 3491D861B05F4A81EE48EF56E45427DA3A9EB59FD0F80A836CE4D4B755EEBCD088C310

Function 00007FF712FA8BF0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 194COMMON

Download Yara Rule

APIs

__std_fs_code_page.MSVCPRT ref: 00007FF712FA8C4F

Part of subcall function 00007FF712FAE050: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FF712FA8C54), ref: 00007FF712FAE054
Part of subcall function 00007FF712FAE050: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF712FA8C54), ref: 00007FF712FAE063

memmove.VCRUNTIME140 ref: 00007FF712FA8D1F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA8DFA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA8E3F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA8E8D

Strings

", ", xrefs: 00007FF712FA8DA8
: ", xrefs: 00007FF712FA8D75

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ApisFile___lc_codepage_func__std_fs_code_pagememmove
String ID: ", "$: "
API String ID: 1229626011-747220369
Opcode ID: 77aebda6c8ace7f27da960d44581003b861d7b784f5c4b33078a3c17ff0196f5
Instruction ID: 88a6e20a64dac81b237f5ccb8ee6d514553d5102e924f8a844edd4a168ea3592
Opcode Fuzzy Hash: 77aebda6c8ace7f27da960d44581003b861d7b784f5c4b33078a3c17ff0196f5
Instruction Fuzzy Hash: 7981B162B04F4589EB44EF65D4843ACA326FB44FA8F806531DE1E13B99DFB8D558C350

Function 00007FF712FA3990 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,00007FF712FA3350), ref: 00007FF712FA39D3

Part of subcall function 00007FF712FA2110: DeviceIoControl.KERNEL32 ref: 00007FF712FA2178

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,00007FF712FA3350), ref: 00007FF712FA3A34
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,00007FF712FA3350), ref: 00007FF712FA3AC8

Part of subcall function 00007FF712FA5910: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(FFFFFFFF,00000000,?,?,?,00007FF712FA15D3), ref: 00007FF712FA598A
Part of subcall function 00007FF712FA5910: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA59AA
Part of subcall function 00007FF712FA5910: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA59BA
Part of subcall function 00007FF712FA5910: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5A9D
Part of subcall function 00007FF712FA5910: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5AA4
Part of subcall function 00007FF712FA5910: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5AB1

Strings

[-] Can't find pattern, xrefs: 00007FF712FA3AB2
[-] Can't find pattern, Too big section, xrefs: 00007FF712FA39E9
[-] Read failed in FindPatternAtKernel, xrefs: 00007FF712FA3A1E
[-] No module address to find pattern, xrefs: 00007FF712FA39B6

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@_V01@@$?good@ios_base@std@@D@std@@@std@@U?$char_traits@$?flush@?$basic_ostream@?setstate@?$basic_ios@_?uncaught_exception@std@@ControlDeviceOsfx@?$basic_ostream@V12@
String ID: [-] Can't find pattern$[-] Can't find pattern, Too big section$[-] No module address to find pattern$[-] Read failed in FindPatternAtKernel
API String ID: 3011380806-521562947
Opcode ID: 9681650a9704a53e467fc2b676a7d8eda154af6d3dcc580528ff5f037b4c977e
Instruction ID: dbaf95ab58f5866128dd051ec0131063300d81a5c3a2c39a1cc3dc4afa929b65
Opcode Fuzzy Hash: 9681650a9704a53e467fc2b676a7d8eda154af6d3dcc580528ff5f037b4c977e
Instruction Fuzzy Hash: 58419C69E18E5281FA90AB11A854279E369EF49FF0FC42132D95F07695DFECE60DC320

Function 00007FF712FADBD0 Relevance: 12.2, APIs: 8, Instructions: 165COMMON

Download Yara Rule

APIs

?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF712FADC13
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF712FADC3B
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF712FADCA5
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF712FADCCE
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF712FADCEF
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF712FADD38
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF712FADD83
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF712FADDC3

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sgetc@?$basic_streambuf@$?sbumpc@?$basic_streambuf@
String ID:
API String ID: 2679766405-0
Opcode ID: ae3bff6e265307a41a570617d580a1bc1f3e832f3c244a2d68e2611d1d70cf92
Instruction ID: 02f2f4580af5f223150e7f24c14cf68f03357f8a24b11ca8503478efd7721569
Opcode Fuzzy Hash: ae3bff6e265307a41a570617d580a1bc1f3e832f3c244a2d68e2611d1d70cf92
Instruction Fuzzy Hash: 3861F82190DE8242EEA56B21A500179E768AF16F78F986530DFAE073D1DFBCE45DD320

Function 00007FF712FAD660 Relevance: 12.1, APIs: 8, Instructions: 135COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF712FAD6A1
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF712FAD6C0
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF712FAD6DF
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF712FAD713
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF712FAD732
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF712FAD77B
??7ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF712FAD7B4

Part of subcall function 00007FF712FADBD0: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF712FADC13
Part of subcall function 00007FF712FADBD0: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF712FADC3B
Part of subcall function 00007FF712FADBD0: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF712FADCA5
Part of subcall function 00007FF712FADBD0: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF712FADD38

Part of subcall function 00007FF712FA56E0: fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712FA5740
Part of subcall function 00007FF712FA56E0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF712FA5762

?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF712FAD85A

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$?sgetc@?$basic_streambuf@$?setstate@?$basic_ios@_Init@?$basic_streambuf@U?$char_traits@_W@std@@@std@@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@??7ios_base@std@@D@std@@@1@_V?$basic_streambuf@fclosememset
String ID:
API String ID: 3683839571-0
Opcode ID: 25883d728def731ad64dee20e29615aa019122eee087f319b2970cee591e8202
Instruction ID: 34c7417998a0eaa68470dc537481a5972dcb1f5646191d5212e935bb5e0ffacd
Opcode Fuzzy Hash: 25883d728def731ad64dee20e29615aa019122eee087f319b2970cee591e8202
Instruction Fuzzy Hash: 77618232618B85CADB10DF64E4802AEB774FB85B58F444126EB8C43B68DFBDD508CB10

Function 00007FF712FA7C40 Relevance: 10.7, APIs: 7, Instructions: 159COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF712FA7CD7
memmove.VCRUNTIME140 ref: 00007FF712FA7D22
memmove.VCRUNTIME140 ref: 00007FF712FA7D3A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA7DD7
memmove.VCRUNTIME140 ref: 00007FF712FA7E0C
memmove.VCRUNTIME140 ref: 00007FF712FA7E2A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF712FA7E4D

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 9f934668936d86b54b86d4dd7fc3ccd8f8fef71026727e6d955ff449e3898f8a
Instruction ID: 53ddd0a47ab1abda025e7bd6f29edd8b2c76012374265dac405a892f24976926
Opcode Fuzzy Hash: 9f934668936d86b54b86d4dd7fc3ccd8f8fef71026727e6d955ff449e3898f8a
Instruction Fuzzy Hash: 7251D032A08F8181EA54BF25D4446ACA368FB54FA8FA45635DF2E073D1CFB8E198C350

Function 00007FF712FA3B10 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 110COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF712FA2110: DeviceIoControl.KERNEL32 ref: 00007FF712FA2178

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,00007FF712FA3350), ref: 00007FF712FA3B85

Part of subcall function 00007FF712FA5910: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5A07

memcmp.VCRUNTIME140(?,?,?,00007FF712FA3350), ref: 00007FF712FA3C10

Part of subcall function 00007FF712FA5910: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(FFFFFFFF,00000000,?,?,?,00007FF712FA15D3), ref: 00007FF712FA598A
Part of subcall function 00007FF712FA5910: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA59AA
Part of subcall function 00007FF712FA5910: ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA59BA
Part of subcall function 00007FF712FA5910: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5A9D
Part of subcall function 00007FF712FA5910: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5AA4
Part of subcall function 00007FF712FA5910: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,00007FF712FA15D3), ref: 00007FF712FA5AB1

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,00007FF712FA3350), ref: 00007FF712FA3C82

Strings

PAGE, xrefs: 00007FF712FA3B9B, 00007FF712FA3C35
[-] Can't find section, xrefs: 00007FF712FA3C6C
[-] Can't read module headers, xrefs: 00007FF712FA3B6F

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@_V01@W@std@@@std@@$??6?$basic_ostream@_?good@ios_base@std@@D@std@@@std@@U?$char_traits@V01@@$?flush@?$basic_ostream@?setstate@?$basic_ios@_?sputc@?$basic_streambuf@_?uncaught_exception@std@@ControlDeviceOsfx@?$basic_ostream@V12@memcmp
String ID: PAGE$[-] Can't find section$[-] Can't read module headers
API String ID: 638855019-1129567509
Opcode ID: c1b9f6722e048ac76462a8418d5f70b9f9fa35a5b740861809e3c77073f68516
Instruction ID: 3e942aeccbcaeae406a1e2efdbf4f3b2c583bd57585acd06b8835915e9d27650
Opcode Fuzzy Hash: c1b9f6722e048ac76462a8418d5f70b9f9fa35a5b740861809e3c77073f68516
Instruction Fuzzy Hash: 5D417335A08EC681EA60AB15E4401BAE399FB45BA4F902231DE9E07798DFFCD589C710

Function 00007FF712FA7660 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF712FA587A), ref: 00007FF712FA768D
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF712FA587A), ref: 00007FF712FA76A7
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF712FA587A), ref: 00007FF712FA76D9
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF712FA587A), ref: 00007FF712FA7704
std::_Facet_Register.LIBCPMT ref: 00007FF712FA771D
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF712FA587A), ref: 00007FF712FA773C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF712FA7767

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 762505753-0
Opcode ID: fc0c05cf245312811c55d37bca6684000efdcfe318ee16aa275d3c0e69135d5b
Instruction ID: 563b29c3095fb1a55e9515175cfb53992935f2f30e983db6c47c999f884245ca
Opcode Fuzzy Hash: fc0c05cf245312811c55d37bca6684000efdcfe318ee16aa275d3c0e69135d5b
Instruction Fuzzy Hash: B8318F26A08F4581EB54AF15E84016EB368FB88FE4F881631DB9E077A4CF7CE558CB10

Function 00007FF712FA7770 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF712FA587A), ref: 00007FF712FA779D
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF712FA587A), ref: 00007FF712FA77B7
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF712FA587A), ref: 00007FF712FA77E9
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF712FA587A), ref: 00007FF712FA7814
std::_Facet_Register.LIBCPMT ref: 00007FF712FA782D
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF712FA587A), ref: 00007FF712FA784C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF712FA7877

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$ctype@_Getgloballocale@locale@std@@Locimp@12@RegisterV42@@Vfacet@locale@2@W@std@@std::_
String ID:
API String ID: 3972169111-0
Opcode ID: 3efbe734a0d7aa127617d418fdae985bc1ea4853025692f7bca7142041a1f8b9
Instruction ID: 50791f184b134bec1f08c94de241fc996c3bc9495943453795bbf4e64bd2aad7
Opcode Fuzzy Hash: 3efbe734a0d7aa127617d418fdae985bc1ea4853025692f7bca7142041a1f8b9
Instruction Fuzzy Hash: 5D316E26A08F4581EB54AF15E44056AB368FB88FA4F881631DA9E077A4CFBCE598C710

Function 00007FF712FA4C40 Relevance: 9.2, APIs: 6, Instructions: 178COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712FA4CF2

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: fgetc
String ID:
API String ID: 2807381905-0
Opcode ID: 5c9360094abfdcaad5a1fbe469f4c87194c21e3cc4b8d4d3b104f360325181d3
Instruction ID: 911edbeb3801ec9dd7e115d1cb93b5cd7fb8aec12dc2a599ca35c3efcfbf20f5
Opcode Fuzzy Hash: 5c9360094abfdcaad5a1fbe469f4c87194c21e3cc4b8d4d3b104f360325181d3
Instruction Fuzzy Hash: A8819C32B04E4198EB40DF64C4803AD77B8FB48B68F941632DA1D53B98DF78D5A8C320

Function 00007FF712FAA3A0 Relevance: 9.1, APIs: 6, Instructions: 120COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF712FAA48F
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF712FAA49C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF712FAA4D5
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF712FAA4DF
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF712FAA4EC
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF712FAA520

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: memmovememset$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2171940698-0
Opcode ID: 76d32cd794f8d37f6432e671754ca973aea2a5c3a3a6e8336055bc2432d9ca23
Instruction ID: 4cff80e95b9c5f506f42f44da055a6f987eb926ec22926e2b58483b2e50efeea
Opcode Fuzzy Hash: 76d32cd794f8d37f6432e671754ca973aea2a5c3a3a6e8336055bc2432d9ca23
Instruction Fuzzy Hash: 4841F421B18E4181EA50EF26E24826EA3A9EB44FF0F845635EE6D077D5DEBCD05DC320

Function 00007FF712FAA530 Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,7FFFFFFFFFFFFFFF,00007FF712FA9F85), ref: 00007FF712FAA624
memmove.VCRUNTIME140(?,?,?,?,?,7FFFFFFFFFFFFFFF,00007FF712FA9F85), ref: 00007FF712FAA632
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,7FFFFFFFFFFFFFFF,00007FF712FA9F85), ref: 00007FF712FAA66B
memmove.VCRUNTIME140(?,?,?,?,?,7FFFFFFFFFFFFFFF,00007FF712FA9F85), ref: 00007FF712FAA675
memmove.VCRUNTIME140(?,?,?,?,?,7FFFFFFFFFFFFFFF,00007FF712FA9F85), ref: 00007FF712FAA683
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF712FAA6B8

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 138ee53cf7a6f8e33c05b3e84bf3ed7a69d9c4d127627c5a14d9e7585bc29991
Instruction ID: 52c17ed534a32f202a1e220aed8e359101aa9aa15db1bd560b583614e294b0bc
Opcode Fuzzy Hash: 138ee53cf7a6f8e33c05b3e84bf3ed7a69d9c4d127627c5a14d9e7585bc29991
Instruction Fuzzy Hash: EC410262B19E4285EE60BB16950426AE3A9FB04FE0F881631DE5D0B7C5DEBCE04CC724

Function 00007FF712FA57A0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z.MSVCP140 ref: 00007FF712FA57DA
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF712FA57F7
_get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712FA5820
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF712FA586B

Part of subcall function 00007FF712FA7660: ??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF712FA587A), ref: 00007FF712FA768D
Part of subcall function 00007FF712FA7660: ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF712FA587A), ref: 00007FF712FA76A7
Part of subcall function 00007FF712FA7660: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF712FA587A), ref: 00007FF712FA76D9
Part of subcall function 00007FF712FA7660: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF712FA587A), ref: 00007FF712FA7704
Part of subcall function 00007FF712FA7660: std::_Facet_Register.LIBCPMT ref: 00007FF712FA771D
Part of subcall function 00007FF712FA7660: ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF712FA587A), ref: 00007FF712FA773C

?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF712FA5880
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF712FA5897

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$Init@?$basic_streambuf@Lockit@std@@$??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
String ID:
API String ID: 3911317180-0
Opcode ID: c354ea2c32dc86adfe6d6ccd3333bf63ea57a083845b076d1c720a198f2f3d27
Instruction ID: 8869c08a7ebd518adc50912e8607dff6623d40422bb8b72d816723efa7a9f457
Opcode Fuzzy Hash: c354ea2c32dc86adfe6d6ccd3333bf63ea57a083845b076d1c720a198f2f3d27
Instruction Fuzzy Hash: D9315832A09F4182EB90AF25B84472AB3E8FB48F98F441135DA8E07B58EF7CD448C710

Function 00007FF712FA52C0 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF712FA52F3
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF712FA5312
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF712FA5344
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF712FA535F

Part of subcall function 00007FF712FA57A0: ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z.MSVCP140 ref: 00007FF712FA57DA
Part of subcall function 00007FF712FA57A0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF712FA57F7
Part of subcall function 00007FF712FA57A0: _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712FA5820
Part of subcall function 00007FF712FA57A0: ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF712FA586B
Part of subcall function 00007FF712FA57A0: ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF712FA5880

?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF712FA53A9

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@_D@std@@@1@_Fiopen@std@@U?$char_traits@_U_iobuf@@V?$basic_streambuf@Vlocale@2@W@std@@@std@@_get_stream_buffer_pointers
String ID:
API String ID: 3167182450-0
Opcode ID: 3e7188ed2be0308aff44c332e7ad335a206ca2894e76ea5de0786c4a5f0ef909
Instruction ID: aed4abcbb43f1cb04332a8a99bff17e11ee5da46d120f9fe5560c8c18b80bfa7
Opcode Fuzzy Hash: 3e7188ed2be0308aff44c332e7ad335a206ca2894e76ea5de0786c4a5f0ef909
Instruction Fuzzy Hash: 33211932608F4586EB109F29F85472AB7A8FB89F98F848135DA8D43724DF7DD109CB50

Function 00007FF712FACDD0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FACE79
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF712FACF29

Part of subcall function 00007FF712FAE8F8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF712FA7B5F,?,?,?,?,?,?,?,?,?,00007FF712FA1347), ref: 00007FF712FAE912

Strings

gfffffff, xrefs: 00007FF712FABCBD
gfffffff, xrefs: 00007FF712FACE0B

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID: gfffffff$gfffffff
API String ID: 1934640635-161084747
Opcode ID: 125928987bac40873d51d87558d4c1396d3723bbe5d6c1ea923cbd2a1b7af872
Instruction ID: 805dc8bd5a9bf8d4e5d7dc2d705214d38c8c3743ad025905fcaf62a95ee4a15f
Opcode Fuzzy Hash: 125928987bac40873d51d87558d4c1396d3723bbe5d6c1ea923cbd2a1b7af872
Instruction Fuzzy Hash: A5510172605F4981EE94EF13F440269A3A9EB48FE0F989632DA8D87B94DF7CD095C311

Function 00007FF712FA3120 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA3255
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA32A7

Part of subcall function 00007FF712FA71A0: GetModuleHandleA.KERNEL32 ref: 00007FF712FA71E8
Part of subcall function 00007FF712FA71A0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA7210

Strings

[!] Failed to find RtlLookupElementGenericTableAvl, xrefs: 00007FF712FA328A
RtlLookupElementGenericTableAvl, xrefs: 00007FF712FA31F4

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_V01@@W@std@@@std@@$HandleModule_invalid_parameter_noinfo_noreturn
String ID: RtlLookupElementGenericTableAvl$[!] Failed to find RtlLookupElementGenericTableAvl
API String ID: 4059861771-1952825546
Opcode ID: bcd49be5a217e407e850f460350e7be60e9ac90b43849d76150decf3d1dc7fe4
Instruction ID: 3ad9c1837844eee97b7a637b279fae4dc21e3fb8ca3e1a8a31e4bf23c706293b
Opcode Fuzzy Hash: bcd49be5a217e407e850f460350e7be60e9ac90b43849d76150decf3d1dc7fe4
Instruction Fuzzy Hash: 27419525E18F8681EA40EB15E840779E364FBD4BB0F905235EA9D436A5DFBCE188C710

Function 00007FF712FA2E90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,-0000000A,00007FF712FA352D), ref: 00007FF712FA2F9A

Part of subcall function 00007FF712FAE880: AcquireSRWLockExclusive.KERNEL32 ref: 00007FF712FAE890

Part of subcall function 00007FF712FA79C0: memmove.VCRUNTIME140(00000000,?,?,?,00007FF712FA1347), ref: 00007FF712FA79F8

Part of subcall function 00007FF712FA27A0: memset.VCRUNTIME140 ref: 00007FF712FA27FE
Part of subcall function 00007FF712FA27A0: VirtualAlloc.KERNEL32 ref: 00007FF712FA28B1
Part of subcall function 00007FF712FA27A0: VirtualFree.KERNEL32 ref: 00007FF712FA28E8

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,-0000000A,00007FF712FA352D), ref: 00007FF712FA2F5A

Strings

ExAcquireResourceExclusiveLite, xrefs: 00007FF712FA2EF9
[!] Failed to find ExAcquireResourceExclusiveLite, xrefs: 00007FF712FA2F7D

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@Virtual$??6?$basic_ostream@_AcquireAllocExclusiveFreeLockU?$char_traits@_V01@@W@std@@@std@@_invalid_parameter_noinfo_noreturnmemmovememset
String ID: ExAcquireResourceExclusiveLite$[!] Failed to find ExAcquireResourceExclusiveLite
API String ID: 553075718-2131800721
Opcode ID: baee237ac382df74e71630cb824e1fa9c00e14fbca817ab0610956009f8a0346
Instruction ID: 559bdddbe9e2988e2250d6663bbba2c5111748e5116cd36924d3a4410a8032da
Opcode Fuzzy Hash: baee237ac382df74e71630cb824e1fa9c00e14fbca817ab0610956009f8a0346
Instruction Fuzzy Hash: 01318565F28E4641FE80EB14E4403B9A359EF95BF0FD06231E95E426E5DFACE588C720

Function 00007FF712FA2400 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA2502

Part of subcall function 00007FF712FAE880: AcquireSRWLockExclusive.KERNEL32 ref: 00007FF712FAE890

Part of subcall function 00007FF712FA79C0: memmove.VCRUNTIME140(00000000,?,?,?,00007FF712FA1347), ref: 00007FF712FA79F8

Part of subcall function 00007FF712FA27A0: memset.VCRUNTIME140 ref: 00007FF712FA27FE
Part of subcall function 00007FF712FA27A0: VirtualAlloc.KERNEL32 ref: 00007FF712FA28B1
Part of subcall function 00007FF712FA27A0: VirtualFree.KERNEL32 ref: 00007FF712FA28E8

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA24C2

Strings

[!] Failed to find MmUnmapLockedPages, xrefs: 00007FF712FA24E5
MmUnmapLockedPages, xrefs: 00007FF712FA2461

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@Virtual$??6?$basic_ostream@_AcquireAllocExclusiveFreeLockU?$char_traits@_V01@@W@std@@@std@@_invalid_parameter_noinfo_noreturnmemmovememset
String ID: MmUnmapLockedPages$[!] Failed to find MmUnmapLockedPages
API String ID: 553075718-2848997145
Opcode ID: 2bbbd5cf02c9539b27defda79233b67272ac196bb32ad00827a22407c3b2ad44
Instruction ID: 3861195364de80ecf2648c38620fd40ac2d6d648d875139a50a35123bdb5f30d
Opcode Fuzzy Hash: 2bbbd5cf02c9539b27defda79233b67272ac196bb32ad00827a22407c3b2ad44
Instruction Fuzzy Hash: 78319465F28E4641FA40FB18E8406B5A325AF95BF0FD06632E91D426E5DFACE5C9C320

Function 00007FF712FA2530 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA2631

Part of subcall function 00007FF712FAE880: AcquireSRWLockExclusive.KERNEL32 ref: 00007FF712FAE890

Part of subcall function 00007FF712FA79C0: memmove.VCRUNTIME140(00000000,?,?,?,00007FF712FA1347), ref: 00007FF712FA79F8

Part of subcall function 00007FF712FA27A0: memset.VCRUNTIME140 ref: 00007FF712FA27FE
Part of subcall function 00007FF712FA27A0: VirtualAlloc.KERNEL32 ref: 00007FF712FA28B1
Part of subcall function 00007FF712FA27A0: VirtualFree.KERNEL32 ref: 00007FF712FA28E8

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA25F1

Strings

MmFreePagesFromMdl, xrefs: 00007FF712FA2590
[!] Failed to find MmFreePagesFromMdl, xrefs: 00007FF712FA2614

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: V01@Virtual$??6?$basic_ostream@_AcquireAllocExclusiveFreeLockU?$char_traits@_V01@@W@std@@@std@@_invalid_parameter_noinfo_noreturnmemmovememset
String ID: MmFreePagesFromMdl$[!] Failed to find MmFreePagesFromMdl
API String ID: 553075718-1029121595
Opcode ID: 474e974e00c07895c1f24c7bfaa3daabff343b95b0cbf13d464a2a10fa22dde9
Instruction ID: 95279603b133e0cbb5ca2f2c192765738fb92340532112229085ed69b0857758
Opcode Fuzzy Hash: 474e974e00c07895c1f24c7bfaa3daabff343b95b0cbf13d464a2a10fa22dde9
Instruction Fuzzy Hash: F431C865F18E4641EE40EB15E850275A365FF88BF0FC06731D96D027A5DFACE588C710

Function 00007FF712FA92F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12processCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF712FA73F0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF712FA7469
Part of subcall function 00007FF712FA73F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF712FA7489
Part of subcall function 00007FF712FA73F0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF712FA7499
Part of subcall function 00007FF712FA73F0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF712FA7616
Part of subcall function 00007FF712FA73F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF712FA761D
Part of subcall function 00007FF712FA73F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF712FA762A

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF712FA9311
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA931E

Strings

[+] Callback example called, xrefs: 00007FF712FA92FB
pause, xrefs: 00007FF712FA9317

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: ?good@ios_base@std@@D@std@@@std@@U?$char_traits@U?$char_traits@_V01@W@std@@@std@@$??6?$basic_ostream@_?flush@?$basic_ostream@?setstate@?$basic_ios@_?uncaught_exception@std@@Osfx@?$basic_ostream@V01@@V12@system
String ID: [+] Callback example called$pause
API String ID: 1016348259-1534954768
Opcode ID: 33508f0c83e1a5f07c8441ff7fb8a9ca715392c64914d1990f8bc9417df90bb5
Instruction ID: e554d5530544f7bfc037c2e11fff63d9a6a7edb1c925d2ad5a4db68f4e5ba4fd
Opcode Fuzzy Hash: 33508f0c83e1a5f07c8441ff7fb8a9ca715392c64914d1990f8bc9417df90bb5
Instruction Fuzzy Hash: 51E0EC68E08D0790EA14BB01E8850759329BF58BA1FC01031C80F06230EEACE64EC730

Function 00007FF712FA8ED0 Relevance: 6.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

APIs

__std_exception_destroy.VCRUNTIME140 ref: 00007FF712FA8FE1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA900D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA913B
__std_exception_copy.VCRUNTIME140 ref: 00007FF712FA917D

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy__std_exception_destroy
String ID:
API String ID: 2138705365-0
Opcode ID: 869f0602a0a687fa389a594b351a61fe7d91b5b5e84e8b672e990f446cde2dae
Instruction ID: 862a95f9bbcb36be52b110b1a647d0f84bf95564118a5e25d4f3ba4ba421917f
Opcode Fuzzy Hash: 869f0602a0a687fa389a594b351a61fe7d91b5b5e84e8b672e990f446cde2dae
Instruction Fuzzy Hash: 35818D72604E8581EF04AF29D48836DA32AFB44FD8F90A031D74D07A69EFB9D9D8C350

Function 00007FF712FABF60 Relevance: 6.2, APIs: 4, Instructions: 204COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF712FAC0E4

Part of subcall function 00007FF712FAC280: memmove.VCRUNTIME140 ref: 00007FF712FAC347

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAC229
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAC230
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAC237

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove
String ID:
API String ID: 15630516-0
Opcode ID: e1937754f0f8dc652a4ec082e13e796315af966f323772c4cdfdb1cef055ca1a
Instruction ID: 9032ed640d0a7c3b865963d5614413a028b3fb3d6f19217832806d6f72f5c7f0
Opcode Fuzzy Hash: e1937754f0f8dc652a4ec082e13e796315af966f323772c4cdfdb1cef055ca1a
Instruction Fuzzy Hash: CF91C362F04F858AFB40DFA4D4403AD7366EB55BB8F806231DE2C166C9DFB89499C350

Function 00007FF712FAC7F0 Relevance: 6.2, APIs: 4, Instructions: 158COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF712FAC954

Part of subcall function 00007FF712FAE8F8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF712FA7B5F,?,?,?,?,?,?,?,?,?,00007FF712FA1347), ref: 00007FF712FAE912

memmove.VCRUNTIME140 ref: 00007FF712FAC941
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FAC9EE
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF712FAC9FB

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: 68ffbc32ed889676f7ff5465ec86f0f6f5f6df4d3cc6bff6036ba88f80fc0b63
Instruction ID: 40713688426dc6c892bae02943674c36e3c08b14136cfa03b1bbbb567f9725fa
Opcode Fuzzy Hash: 68ffbc32ed889676f7ff5465ec86f0f6f5f6df4d3cc6bff6036ba88f80fc0b63
Instruction Fuzzy Hash: 2451E0B2B14F8A82DE44EF1695542A8A3A8F748FD0F809636DE9D07785DF7CE199C310

Function 00007FF712FA5050 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e6dbf71f58cb8aa024952d63ad621d9219e4eee5aca5c58a19cf5b835a923b
Instruction ID: ef9aa95a32ea4568a22b41b0269f892214c7d2201820b89993da6f4bf1c5ba59
Opcode Fuzzy Hash: 76e6dbf71f58cb8aa024952d63ad621d9219e4eee5aca5c58a19cf5b835a923b
Instruction Fuzzy Hash: 94516D32B08E8186EB509F28E45437DB3A5FB84FA4F905236DA9D877A8DF78C548C710

Function 00007FF712FAA250 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF712FA8C89), ref: 00007FF712FAA32B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF712FA8C89), ref: 00007FF712FAA35F
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF712FA8C89), ref: 00007FF712FAA369
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF712FAA392

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 0faf57b97d7808d930bd55a8767bf0ce9abed128e5ca975588bc3724e35148d4
Instruction ID: 617e70d402d35781d1afee68e795ad04cdf6a24b22fffdd075f731d208c6caa6
Opcode Fuzzy Hash: 0faf57b97d7808d930bd55a8767bf0ce9abed128e5ca975588bc3724e35148d4
Instruction Fuzzy Hash: 5B31D261B09F4285EE50BB1691042ADE3AAEB08FF0F985631DA6D077D5DEBDE05DC220

Function 00007FF712FA7880 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(FFFFFFFF,7FFFFFFFFFFFFFFE,?,?,00007FF712FA1605), ref: 00007FF712FA78C3
memmove.VCRUNTIME140(FFFFFFFF,7FFFFFFFFFFFFFFE,?,?,00007FF712FA1605), ref: 00007FF712FA7989
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF712FA79AD

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task
String ID:
API String ID: 1247048853-0
Opcode ID: bf3b4f0809a4b899754c485b6c32bff3f6cac7fe83c6683a8240f9c9a99bc329
Instruction ID: e706a1ea8475d22e0c7b4dd0e6b4cb24bb79b149707fe70980acf4c83f6f3338
Opcode Fuzzy Hash: bf3b4f0809a4b899754c485b6c32bff3f6cac7fe83c6683a8240f9c9a99bc329
Instruction Fuzzy Hash: 3331E422B0AB4181EA58AB11A4006BDA268BF4DFF4F981730DE7E077D1CEBCE185C310

Function 00007FF712FA7E60 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712FA7F32

Part of subcall function 00007FF712FAE8F8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF712FA7B5F,?,?,?,?,?,?,?,?,?,00007FF712FA1347), ref: 00007FF712FAE912

memmove.VCRUNTIME140 ref: 00007FF712FA7F63
memmove.VCRUNTIME140 ref: 00007FF712FA7F73
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF712FA7F96

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: a0943a0ad14fa4aa678d8f9c091e7492cfd11b0b4dd48a73baee36a6094f65ef
Instruction ID: fc84a3ce8653f18e1c3a8654e9350cc9dd42ba454530950c390eb23b73c2aa0a
Opcode Fuzzy Hash: a0943a0ad14fa4aa678d8f9c091e7492cfd11b0b4dd48a73baee36a6094f65ef
Instruction Fuzzy Hash: 4C31E322B05B4591EA64EB12A4006ADA398EB48FF4F981731DE7E477D4DE7CE149C350

Function 00007FF712FA79C0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,?,?,?,00007FF712FA1347), ref: 00007FF712FA79F8
memmove.VCRUNTIME140(00000000,?,?,?,00007FF712FA1347), ref: 00007FF712FA7A99
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF712FA7AB7

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task
String ID:
API String ID: 1247048853-0
Opcode ID: eb24578017354564cf0405131be288cb952c9c9c76e63b1dd8142aaa5fc544e7
Instruction ID: ed452668fefd364cf03ae28d2c5618106d225a2b56c479d00aab47023b05d4c4
Opcode Fuzzy Hash: eb24578017354564cf0405131be288cb952c9c9c76e63b1dd8142aaa5fc544e7
Instruction Fuzzy Hash: 0E210722B0AF4655FA59BB11A90077C92489B04FF0F941B30DE2F077D2DEBCA586C320

Function 00007FF712FAE19C Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF712FAE1E5
GetLastError.KERNEL32 ref: 00007FF712FAE1F3
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF712FAA165), ref: 00007FF712FAE228
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF712FAA165), ref: 00007FF712FAE236

Memory Dump Source

Source File: 00000000.00000002.1659680262.00007FF712FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712FA0000, based on PE: true

Associated: 00000000.00000002.1659665825.00007FF712FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659699986.00007FF712FB1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659725959.00007FF712FC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1659747405.00007FF712FC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712fa0000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 55b0b9489396ed7e5a37b543635f95f363c1a74e51aaa4759b5b8ffd6767a4f5
Instruction ID: f945ba830b7f6a8f0f8c4bc8f954b204ed8103c583fc66be02560fc796068500
Opcode Fuzzy Hash: 55b0b9489396ed7e5a37b543635f95f363c1a74e51aaa4759b5b8ffd6767a4f5
Instruction Fuzzy Hash: 60214972A18B9186E3509F12E44432EBAB8F788FD0F544139DB8963B58CF7CD409CB50

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exePID: 6824, Parent PID: 2580

General

Chronological Activities

Analysis Process: conhost.exePID: 6868, Parent PID: 6824

General

Chronological Activities

Disassembly

Analysis Process: SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exePID: 6824, Parent PID: 2580COMMON

Execution Graph

Windows Analysis Report
SecuriteInfo.com.W64.Gamehack.DF.gen.Eldorado.1858.10572.exe

Function 00007FF712FA5910 Relevance: 13.6, APIs: 9, Instructions: 138
COMMON

Function 00007FF712FAEF38 Relevance: 13.6, APIs: 9, Instructions: 94
COMMON

Function 00007FF712FA5AF0 Relevance: 4.5, APIs: 3, Instructions: 17
COMMON

Function 00007FF712FA1800 Relevance: 65.0, APIs: 23, Strings: 14, Instructions: 295
filethreadCOMMON

Function 00007FF712FAE268 Relevance: 33.2, APIs: 22, Instructions: 224
fileCOMMON

Function 00007FF712FA2AE0 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 217
nativememoryCOMMON

Function 00007FF712FA3300 Relevance: 70.4, APIs: 20, Strings: 20, Instructions: 365
COMMON

Function 00007FF712FAAB80 Relevance: 58.1, APIs: 19, Strings: 14, Instructions: 314
memoryCOMMON

Function 00007FF712FACF50 Relevance: 56.3, APIs: 18, Strings: 14, Instructions: 263
registrylibraryloaderCOMMON

Function 00007FF712FAA6E0 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 270
COMMON

Function 00007FF712FAD3A0 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 177
registrylibraryloaderCOMMON

Function 00007FF712FA1D20 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 195
COMMON

Function 00007FF712FA2660 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 197
COMMON

Function 00007FF712FA2FE0 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 197
COMMON

Function 00007FF712FA21B0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 130
COMMON